Diff
Modified: trunk/JSTests/ChangeLog (243031 => 243032)
--- trunk/JSTests/ChangeLog 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/JSTests/ChangeLog 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,3 +1,13 @@
+2019-03-15 Mark Lam <mark....@apple.com>
+
+ Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
+ https://bugs.webkit.org/show_bug.cgi?id=195827
+ <rdar://problem/48845513>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js: Added.
+
2019-03-15 Dominik Infuehr <dinfu...@igalia.com>
[ARM,MIPS] Skip slow tests
Added: trunk/JSTests/stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js (0 => 243032)
--- trunk/JSTests/stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js (rev 0)
+++ trunk/JSTests/stress/check-object-property-condition-liveness-before-accessing-it-when-watchpoints-fire.js 2019-03-16 04:44:57 UTC (rev 243032)
@@ -0,0 +1,30 @@
+//@ requireOptions("--forceEagerCompilation=true")
+
+// This test should not crash.
+
+let a;
+
+function bar() {
+ a / 1;
+ a = null;
+}
+
+function foo(s) {
+ try {
+ eval(s);
+ } catch (e) {
+ gc();
+ bar();
+ '' + e + 0;
+ }
+}
+
+foo('zz');
+foo('class A { y() {} }; a=new A; zz');
+foo('class C { y() {} }; gc();');
+
+class A {
+ y() {}
+}
+
+A.prototype.z = 0
Modified: trunk/Source/_javascript_Core/ChangeLog (243031 => 243032)
--- trunk/Source/_javascript_Core/ChangeLog 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,3 +1,26 @@
+2019-03-15 Mark Lam <mark....@apple.com>
+
+ Need to check ObjectPropertyCondition liveness before accessing it when firing watchpoints.
+ https://bugs.webkit.org/show_bug.cgi?id=195827
+ <rdar://problem/48845513>
+
+ Reviewed by Filip Pizlo.
+
+ m_object in ObjectPropertyCondition may no longer be live by the time the watchpoint fires.
+
+ * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
+ (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
+ * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
+ (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
+ * bytecode/ObjectPropertyCondition.cpp:
+ (JSC::ObjectPropertyCondition::dumpInContext const):
+ * bytecode/StructureStubClearingWatchpoint.cpp:
+ (JSC::StructureStubClearingWatchpoint::fireInternal):
+ * dfg/DFGAdaptiveStructureWatchpoint.cpp:
+ (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
+ * runtime/StructureRareData.cpp:
+ (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
+
2019-03-15 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Make more properties lazily-allocated in JSGlobalObject, including properties only used in JIT mode
Modified: trunk/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp (243031 => 243032)
--- trunk/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -62,7 +62,9 @@
if (!isValid())
return;
- if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
+ // FIXME: The m_key.isStillLive() check should not be needed if this watchpoint was removed
+ // when m_key's m_object died. https://bugs.webkit.org/show_bug.cgi?id=195829
+ if (m_key.isStillLive() && m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
install(vm);
return;
}
Modified: trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp (243031 => 243032)
--- trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp 2019-03-16 04:44:57 UTC (rev 243032)
@@ -49,7 +49,9 @@
void LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal(VM& vm, const FireDetail&)
{
- if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
+ // FIXME: The m_key.isStillLive() check should not be needed if this watchpoint was removed
+ // when m_key's m_object died. https://bugs.webkit.org/show_bug.cgi?id=195829
+ if (m_key.isStillLive() && m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
install(vm);
return;
}
Modified: trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.cpp (243031 => 243032)
--- trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.cpp 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.cpp 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -37,7 +37,14 @@
out.print("<invalid>");
return;
}
-
+
+ // FIXME: The m_key.isStillLive() check should not be needed if the watchpoint using this
+ // condition was removed when m_object died. https://bugs.webkit.org/show_bug.cgi?id=195829
+ if (!isStillLive()) {
+ out.print("<not live>");
+ return;
+ }
+
out.print("<", inContext(JSValue(m_object), context), ": ", inContext(m_condition, context), ">");
}
Modified: trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp (243031 => 243032)
--- trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/bytecode/StructureStubClearingWatchpoint.cpp 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -36,7 +36,9 @@
void StructureStubClearingWatchpoint::fireInternal(VM& vm, const FireDetail&)
{
- if (!m_key || !m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
+ // FIXME: The m_key.isStillLive() check should not be needed if this watchpoint was removed
+ // when m_key's m_object died. https://bugs.webkit.org/show_bug.cgi?id=195829
+ if (!m_key.isStillLive() || !m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
// This will implicitly cause my own demise: stub reset removes all watchpoints.
// That works, because deleting a watchpoint removes it from the set's list, and
// the set's list traversal for firing is robust against the set changing.
Modified: trunk/Source/_javascript_Core/dfg/DFGAdaptiveStructureWatchpoint.cpp (243031 => 243032)
--- trunk/Source/_javascript_Core/dfg/DFGAdaptiveStructureWatchpoint.cpp 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/dfg/DFGAdaptiveStructureWatchpoint.cpp 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -52,7 +52,9 @@
void AdaptiveStructureWatchpoint::fireInternal(VM& vm, const FireDetail& detail)
{
- if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
+ // FIXME: The m_key.isStillLive() check should not be needed if this watchpoint was removed
+ // when m_key's m_object died. https://bugs.webkit.org/show_bug.cgi?id=195829
+ if (m_key.isStillLive() && m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
install(vm);
return;
}
Modified: trunk/Source/_javascript_Core/runtime/StructureRareData.cpp (243031 => 243032)
--- trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2019-03-16 03:14:52 UTC (rev 243031)
+++ trunk/Source/_javascript_Core/runtime/StructureRareData.cpp 2019-03-16 04:44:57 UTC (rev 243032)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -191,7 +191,9 @@
if (!m_structureRareData->isLive())
return;
- if (m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
+ // FIXME: The m_key.isStillLive() check should not be needed if this watchpoint was removed
+ // when m_key's m_object died. https://bugs.webkit.org/show_bug.cgi?id=195829
+ if (m_key.isStillLive() && m_key.isWatchable(PropertyCondition::EnsureWatchability)) {
install(vm);
return;
}
