[webkit-changes] [285123] trunk

[sbarati]

Title: [285123] trunk

Revision

285123

Author

sbar...@apple.com

Date

2021-11-01 13:10:24 -0700 (Mon, 01 Nov 2021)

Log Message

ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
https://bugs.webkit.org/show_bug.cgi?id=231322
<rdar://problem/84212078>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js: Added.
(main.async v23):
(main):

Source/_javascript_Core:

We were relying on the watchpoint to tell us if the Array species watchpoint
for 'constructor' is set to the right value. However, the watchpoint being
fired doesn't guarantee that it won't be the right value. For example, we
might not be able to install the watchpoint because the replacement watchpoint
may already be fired.

* runtime/JSArrayBufferPrototype.cpp:
(JSC::arrayBufferSpeciesConstructorSlow):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp

Added Paths

• trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js

Diff

Modified: trunk/JSTests/ChangeLog (285122 => 285123)

--- trunk/JSTests/ChangeLog	2021-11-01 20:08:01 UTC (rev 285122)
+++ trunk/JSTests/ChangeLog	2021-11-01 20:10:24 UTC (rev 285123)
@@ -1,3 +1,15 @@
+2021-11-01  Saam Barati  <sbar...@apple.com>
+
+        ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
+        https://bugs.webkit.org/show_bug.cgi?id=231322
+        <rdar://problem/84212078>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js: Added.
+        (main.async v23):
+        (main):
+
 2021-11-01  Robin Morisset  <rmoris...@apple.com>
 
         JSGenericTypedArrayView<Adaptor>::set crashes if the length + objectOffset is > UINT32_MAX

Added: trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js (0 => 285123)

--- trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js	                        (rev 0)
+++ trunk/JSTests/stress/array-buffer-species-watchpoint-should-not-dictate-if-constructor-is-correct.js	2021-11-01 20:10:24 UTC (rev 285123)
@@ -0,0 +1,16 @@
+//@ runDefault("--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useConcurrentJIT=0", "--dumpFTLDisassembly=0", "--useFTLJIT=0")
+
+function main() {
+    async function v23(v24) {
+        for (let v30 = 0; v30 < 60000; v30++) { } 
+        ArrayBuffer.prototype.constructor = ArrayBuffer;
+    }
+    
+    const v22 = [0, 0, 0]; 
+    const v35 = v22.filter(v23);
+    
+    const v37 = [0, 0, 0]
+    const v42 = new Uint8ClampedArray(v37);
+    const v43 = new Uint32Array(v42);
+}
+main();

Modified: trunk/Source/_javascript_Core/ChangeLog (285122 => 285123)

--- trunk/Source/_javascript_Core/ChangeLog	2021-11-01 20:08:01 UTC (rev 285122)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-11-01 20:10:24 UTC (rev 285123)
@@ -1,3 +1,20 @@
+2021-11-01  Saam Barati  <sbar...@apple.com>
+
+        ArrayBuffer species watchpoint being invalidated doesn't mean it's not an ArrayBuffer constructor from the same global object
+        https://bugs.webkit.org/show_bug.cgi?id=231322
+        <rdar://problem/84212078>
+
+        Reviewed by Yusuke Suzuki.
+
+        We were relying on the watchpoint to tell us if the Array species watchpoint
+        for 'constructor' is set to the right value. However, the watchpoint being
+        fired doesn't guarantee that it won't be the right value. For example, we
+        might not be able to install the watchpoint because the replacement watchpoint
+        may already be fired.
+
+        * runtime/JSArrayBufferPrototype.cpp:
+        (JSC::arrayBufferSpeciesConstructorSlow):
+
 2021-11-01  Robin Morisset  <rmoris...@apple.com>
 
         JSGenericTypedArrayView<Adaptor>::set crashes if the length + objectOffset is > UINT32_MAX

Modified: trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp (285122 => 285123)

--- trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp	2021-11-01 20:08:01 UTC (rev 285122)
+++ trunk/Source/_javascript_Core/runtime/JSArrayBufferPrototype.cpp	2021-11-01 20:10:24 UTC (rev 285123)
@@ -52,9 +52,8 @@
     if (constructor.isConstructor(vm)) {
         JSObject* constructorObject = jsCast<JSObject*>(constructor);
         JSGlobalObject* globalObjectFromConstructor = constructorObject->globalObject(vm);
-        bool isArrayBufferConstructorFromAnotherRealm = globalObject != globalObjectFromConstructor
-            && constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode);
-        if (isArrayBufferConstructorFromAnotherRealm)
+        bool isAnyArrayBufferConstructor = constructorObject == globalObjectFromConstructor->arrayBufferConstructor(mode);
+        if (isAnyArrayBufferConstructor)
             return std::nullopt;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes