[webkit-changes] [255416] trunk

[mark . lam]

Title: [255416] trunk

Revision

255416

Author

mark....@apple.com

Date

2020-01-29 21:51:43 -0800 (Wed, 29 Jan 2020)

Log Message

Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
https://bugs.webkit.org/show_bug.cgi?id=206981
<rdar://problem/58985736>

Reviewed by Keith Miller.

JSTests:

* stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js: Added.

Source/_javascript_Core:

InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only
called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(),
which in turn is only called from InternalFunction::createSubclassStructureSlow().

InternalFunction::createSubclassStructureSlow() only allows a call to
FunctionRareData::createInternalFunctionAllocationStructureFromBase() under
certain conditions.  One of these conditions is that the baseGlobalObject is
different than the newTarget's globalObject.

InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an
ASSERT on the same set of conditions, with one ommission: the one above.  This
patch fixes the ASSERT by adding the missing condition to match the check in
InternalFunction::createSubclassStructureSlow().

* bytecode/InternalFunctionAllocationProfile.h:
(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h

Added Paths

• trunk/JSTests/stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js

Diff

Modified: trunk/JSTests/ChangeLog (255415 => 255416)

--- trunk/JSTests/ChangeLog	2020-01-30 04:47:38 UTC (rev 255415)
+++ trunk/JSTests/ChangeLog	2020-01-30 05:51:43 UTC (rev 255416)
@@ -1,3 +1,13 @@
+2020-01-29  Mark Lam  <mark....@apple.com>
+
+        Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
+        https://bugs.webkit.org/show_bug.cgi?id=206981
+        <rdar://problem/58985736>
+
+        Reviewed by Keith Miller.
+
+        * stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js: Added.
+
 2020-01-29  Yusuke Suzuki  <ysuz...@apple.com>
 
         Unreviewed, update tests

Added: trunk/JSTests/stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js (0 => 255416)

--- trunk/JSTests/stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js	                        (rev 0)
+++ trunk/JSTests/stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js	2020-01-30 05:51:43 UTC (rev 255416)
@@ -0,0 +1,6 @@
+global1 = createGlobalObject();
+global2 = createGlobalObject();
+
+function bar() {}
+Reflect.construct(global1.Object, {}, bar);
+Reflect.construct(global2.Object, {}, bar);

Modified: trunk/Source/_javascript_Core/ChangeLog (255415 => 255416)

--- trunk/Source/_javascript_Core/ChangeLog	2020-01-30 04:47:38 UTC (rev 255415)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-01-30 05:51:43 UTC (rev 255416)
@@ -1,3 +1,28 @@
+2020-01-29  Mark Lam  <mark....@apple.com>
+
+        Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
+        https://bugs.webkit.org/show_bug.cgi?id=206981
+        <rdar://problem/58985736>
+
+        Reviewed by Keith Miller.
+
+        InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only
+        called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(),
+        which in turn is only called from InternalFunction::createSubclassStructureSlow().
+
+        InternalFunction::createSubclassStructureSlow() only allows a call to
+        FunctionRareData::createInternalFunctionAllocationStructureFromBase() under
+        certain conditions.  One of these conditions is that the baseGlobalObject is
+        different than the newTarget's globalObject.
+
+        InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an
+        ASSERT on the same set of conditions, with one ommission: the one above.  This
+        patch fixes the ASSERT by adding the missing condition to match the check in
+        InternalFunction::createSubclassStructureSlow().
+
+        * bytecode/InternalFunctionAllocationProfile.h:
+        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+
 2020-01-29  Robin Morisset  <rmoris...@apple.com>
 
         Remove Options::enableSpectreMitigations

Modified: trunk/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h (255415 => 255416)

--- trunk/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h	2020-01-30 04:47:38 UTC (rev 255415)
+++ trunk/Source/_javascript_Core/bytecode/InternalFunctionAllocationProfile.h	2020-01-30 05:51:43 UTC (rev 255416)
@@ -47,7 +47,7 @@
 
 inline Structure* InternalFunctionAllocationProfile::createAllocationStructureFromBase(VM& vm, JSGlobalObject* baseGlobalObject, JSCell* owner, JSObject* prototype, Structure* baseStructure)
 {
-    ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo());
+    ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo() || m_structure->globalObject() != baseGlobalObject);
     ASSERT(baseStructure->hasMonoProto());
 
     Structure* structure;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes