Skip to site navigation (Press enter)

[webkit-changes] [236170] releases/WebKitGTK/webkit-2.22

carlosgc Wed, 19 Sep 2018 05:33:49 -0700

Title: [236170] releases/WebKitGTK/webkit-2.22

Revision: 236170
Author: [email protected]
Date: 2018-09-19 05:33:30 -0700 (Wed, 19 Sep 2018)

Log Message

Merge r235715 - JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
https://bugs.webkit.org/show_bug.cgi?id=189124
<rdar://problem/43863605>


Reviewed by Filip Pizlo.

JSTests:

* stress/regress-189124.js: Added.

Source/_javascript_Core:

It is assumed that the Structure for the m_cachedStructureID will remain alive
while the m_cachedStructureID is in use.  This prevents the structureID from being
re-used for a different Structure.

* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):

Modified Paths

releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp

Added Paths

releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189124.js

Diff

Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (236169 => 236170)


--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-09-19 12:33:25 UTC (rev 236169)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-09-19 12:33:30 UTC (rev 236170)
@@ -1,3 +1,13 @@
+2018-09-05  Mark Lam  <[email protected]>
+
+        JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+        https://bugs.webkit.org/show_bug.cgi?id=189124
+        <rdar://problem/43863605>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/regress-189124.js: Added.
+
 2018-09-05  Ross Kirsling  <[email protected]>
 
         [ESNext] Symbol.prototype.description

Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189124.js (0 => 236170)


--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189124.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-189124.js	2018-09-19 12:33:30 UTC (rev 236170)
@@ -0,0 +1,31 @@
+//@ runDefault("--jitPolicyScale=0")
+
+function makeTmp() {
+    let tmp = {a: 1};
+    gc();
+    tmp.__proto__ = {};
+    return tmp;
+}
+
+function foo(tmp, obj) {
+    for (let k in tmp) {
+        tmp.__proto__ = {};
+        gc();
+        obj.__proto__ = {};
+
+        var result = obj[k];
+        return result;
+    }
+}
+
+foo(makeTmp(), {});
+
+let memory = new Uint32Array(100);
+memory[0] = 0x1234;
+
+let fooResult = foo(makeTmp(), memory);
+var result = $vm.value(fooResult);
+
+if (result != "Undefined")
+    throw "FAIL";
+

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236169 => 236170)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-19 12:33:25 UTC (rev 236169)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-19 12:33:30 UTC (rev 236170)
@@ -1,3 +1,18 @@
+2018-09-05  Mark Lam  <[email protected]>
+
+        JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.
+        https://bugs.webkit.org/show_bug.cgi?id=189124
+        <rdar://problem/43863605>
+
+        Reviewed by Filip Pizlo.
+
+        It is assumed that the Structure for the m_cachedStructureID will remain alive
+        while the m_cachedStructureID is in use.  This prevents the structureID from being
+        re-used for a different Structure.
+
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::visitChildren):
+
 2018-09-05  Ross Kirsling  <[email protected]>
 
         [ESNext] Symbol.prototype.description

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp (236169 => 236170)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp	2018-09-19 12:33:25 UTC (rev 236169)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSPropertyNameEnumerator.cpp	2018-09-19 12:33:30 UTC (rev 236170)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -93,6 +93,9 @@
     for (auto& propertyName : thisObject->m_propertyNames)
         visitor.append(propertyName);
     visitor.append(thisObject->m_prototypeChain);
+
+    VM& vm = visitor.vm();
+    visitor.appendUnbarriered(vm.getStructure(thisObject->cachedStructureID()));
 }
 
 } // namespace JSC

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes