[webkit-changes] [265423] trunk/Source/JavaScriptCore

Mon, 10 Aug 2020 00:39:54 -0700

Title: [265423] trunk/Source/_javascript_Core
Revision
265423
Author
[email protected]
Date
2020-08-10 00:38:24 -0700 (Mon, 10 Aug 2020)

Log Message

[JSC] JSFinalObject::finishCreation's ASSERT has stale condition
https://bugs.webkit.org/show_bug.cgi?id=215317

Reviewed by Mark Lam.

JSFinalObject::finishCreation assumes that there is no out-of-line property storage (inline storage capacity == total storage capacity).
But this is wrong when passing Butterfly* parameter to JSFinalObject. Previously, this feature is not used and we instead used JSObject::createRawObject,
which bypasses this assertion. But now, we start using this when creating an object for MaterializeNewObject in DFG and FTL, and then we hit the crash
because this assertion does not consider about non-nullptr butterfly.

This patch makes create function explicit by introducing `JSFinalObject::createWithButterfly`, which is similar to JSArray::createWithButterfly.
And we fix the assertion by checking butterfly existence. By renaming JSFinalObject::create to JSFinalObject::createWithButterfly when getting butterfly,
this patch also clarifies that only MaterializeNewObject related functions, which were using JSObject::createRawObject to bypass this assertion, is passing
butterfly.

* dfg/DFGOperations.cpp:
* runtime/JSObject.h:
(JSC::JSFinalObject::createWithButterfly):
(JSC::JSFinalObject::create):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (265422 => 265423)


--- trunk/Source/_javascript_Core/ChangeLog	2020-08-10 05:12:35 UTC (rev 265422)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-08-10 07:38:24 UTC (rev 265423)
@@ -1,3 +1,25 @@
+2020-08-10  Yusuke Suzuki  <[email protected]>
+
+        [JSC] JSFinalObject::finishCreation's ASSERT has stale condition
+        https://bugs.webkit.org/show_bug.cgi?id=215317
+
+        Reviewed by Mark Lam.
+
+        JSFinalObject::finishCreation assumes that there is no out-of-line property storage (inline storage capacity == total storage capacity).
+        But this is wrong when passing Butterfly* parameter to JSFinalObject. Previously, this feature is not used and we instead used JSObject::createRawObject,
+        which bypasses this assertion. But now, we start using this when creating an object for MaterializeNewObject in DFG and FTL, and then we hit the crash
+        because this assertion does not consider about non-nullptr butterfly.
+
+        This patch makes create function explicit by introducing `JSFinalObject::createWithButterfly`, which is similar to JSArray::createWithButterfly.
+        And we fix the assertion by checking butterfly existence. By renaming JSFinalObject::create to JSFinalObject::createWithButterfly when getting butterfly,
+        this patch also clarifies that only MaterializeNewObject related functions, which were using JSObject::createRawObject to bypass this assertion, is passing
+        butterfly.
+
+        * dfg/DFGOperations.cpp:
+        * runtime/JSObject.h:
+        (JSC::JSFinalObject::createWithButterfly):
+        (JSC::JSFinalObject::create):
+
 2020-08-09  Commit Queue  <[email protected]>
 
         Unreviewed, reverting r265392.

Modified: trunk/Source/_javascript_Core/dfg/DFGOperations.cpp (265422 => 265423)


--- trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2020-08-10 05:12:35 UTC (rev 265422)
+++ trunk/Source/_javascript_Core/dfg/DFGOperations.cpp	2020-08-10 07:38:24 UTC (rev 265423)
@@ -2921,7 +2921,7 @@
 
     if (structure->type() == JSType::ArrayType)
         return bitwise_cast<char*>(JSArray::createWithButterfly(vm, nullptr, structure, butterfly));
-    return bitwise_cast<char*>(JSFinalObject::create(vm, structure, butterfly));
+    return bitwise_cast<char*>(JSFinalObject::createWithButterfly(vm, structure, butterfly));
 }
 
 JSCell* JIT_OPERATION operationNewObjectWithButterfly(VM* vmPointer, Structure* structure, Butterfly* butterfly)
@@ -2937,7 +2937,7 @@
     
     if (structure->type() == JSType::ArrayType)
         return JSArray::createWithButterfly(vm, nullptr, structure, butterfly);
-    return JSFinalObject::create(vm, structure, butterfly);
+    return JSFinalObject::createWithButterfly(vm, structure, butterfly);
 }
 
 JSCell* JIT_OPERATION operationNewObjectWithButterflyWithIndexingHeaderAndVectorLength(VM* vmPointer, Structure* structure, unsigned length, Butterfly* butterfly)
@@ -2959,7 +2959,7 @@
     
     if (structure->type() == JSType::ArrayType)
         return JSArray::createWithButterfly(vm, nullptr, structure, butterfly);
-    return JSFinalObject::create(vm, structure, butterfly);
+    return JSFinalObject::createWithButterfly(vm, structure, butterfly);
 }
 
 JSCell* JIT_OPERATION operationNewArrayWithSpreadSlow(JSGlobalObject* globalObject, void* buffer, uint32_t numItems)

Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (265422 => 265423)


--- trunk/Source/_javascript_Core/runtime/JSObject.h	2020-08-10 05:12:35 UTC (rev 265422)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h	2020-08-10 07:38:24 UTC (rev 265423)
@@ -1209,7 +1209,8 @@
         return (maxSize - allocationSize(0)) / sizeof(WriteBarrier<Unknown>);
     }
 
-    static JSFinalObject* create(VM&, Structure*, Butterfly* = nullptr);
+    static JSFinalObject* create(VM&, Structure*);
+    static JSFinalObject* createWithButterfly(VM&, Structure*, Butterfly*);
     static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, unsigned inlineCapacity)
     {
         return Structure::create(vm, globalObject, prototype, typeInfo(), info(), defaultIndexingType, inlineCapacity);
@@ -1224,7 +1225,7 @@
 
     void visitChildrenCommon(SlotVisitor&);
 
-    explicit JSFinalObject(VM& vm, Structure* structure, Butterfly* butterfly = nullptr)
+    explicit JSFinalObject(VM& vm, Structure* structure, Butterfly* butterfly)
         : JSObject(vm, structure, butterfly)
     {
         gcSafeZeroMemory(inlineStorageUnsafe(), structure->inlineCapacity() * sizeof(EncodedJSValue));
@@ -1233,7 +1234,7 @@
     void finishCreation(VM& vm)
     {
         Base::finishCreation(vm);
-        ASSERT(structure(vm)->totalStorageCapacity() == structure(vm)->inlineCapacity());
+        ASSERT(butterfly() || structure(vm)->totalStorageCapacity() == structure(vm)->inlineCapacity());
         ASSERT(classInfo(vm));
     }
 };
@@ -1240,10 +1241,10 @@
 
 JS_EXPORT_PRIVATE EncodedJSValue JSC_HOST_CALL objectPrivateFuncInstanceOf(JSGlobalObject*, CallFrame*);
 
-inline JSFinalObject* JSFinalObject::create(VM& vm, Structure* structure, Butterfly* butterfly)
+inline JSFinalObject* JSFinalObject::createWithButterfly(VM& vm, Structure* structure, Butterfly* butterfly)
 {
     JSFinalObject* finalObject = new (
-        NotNull, 
+        NotNull,
         allocateCell<JSFinalObject>(
             vm.heap,
             allocationSize(structure->inlineCapacity())
@@ -1253,6 +1254,11 @@
     return finalObject;
 }
 
+inline JSFinalObject* JSFinalObject::create(VM& vm, Structure* structure)
+{
+    return createWithButterfly(vm, structure, nullptr);
+}
+
 inline size_t JSObject::offsetOfInlineStorage()
 {
     return sizeof(JSObject);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to