Diff
Modified: branches/safari-600.1-branch/LayoutTests/ChangeLog (172788 => 172789)
--- branches/safari-600.1-branch/LayoutTests/ChangeLog 2014-08-19 23:50:49 UTC (rev 172788)
+++ branches/safari-600.1-branch/LayoutTests/ChangeLog 2014-08-19 23:53:33 UTC (rev 172789)
@@ -1,5 +1,24 @@
2014-08-19 Dana Burkart <[email protected]>
+ Merge r172727. <rdar://problem/18051847>
+
+ 2014-08-18 Andreas Kling <[email protected]>
+
+ REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
+ <https://webkit.org/b/133574>
+ <rdar://problem/18051847>
+
+ Add a tests that creates a 16-bit AtomicString with only 8-bit characters,
+ then tiers up into baseline JIT and uses that string as part of a rope-within-a-rope
+ and serializes that rope to get an incorrect concatenation.
+
+ Reviewed by Darin Adler.
+
+ * js/dopey-rope-with-16-bit-propertyname-expected.txt: Added.
+ * js/dopey-rope-with-16-bit-propertyname.html: Added.
+
+2014-08-19 Dana Burkart <[email protected]>
+
Merge r172709. <rdar://problem/17850158>
2014-08-18 Andy Estes <[email protected]>
Copied: branches/safari-600.1-branch/LayoutTests/js/dopey-rope-with-16-bit-propertyname-expected.txt (from rev 172727, trunk/LayoutTests/js/dopey-rope-with-16-bit-propertyname-expected.txt) (0 => 172789)
--- branches/safari-600.1-branch/LayoutTests/js/dopey-rope-with-16-bit-propertyname-expected.txt (rev 0)
+++ branches/safari-600.1-branch/LayoutTests/js/dopey-rope-with-16-bit-propertyname-expected.txt 2014-08-19 23:53:33 UTC (rev 172789)
@@ -0,0 +1,10 @@
+Test that a 16-bit AtomicString containing only 8-bit characters doesn't confuse the JIT into thinking it's an 8-bit AtomicString.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS globalRope is 'foo.zest'
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Copied: branches/safari-600.1-branch/LayoutTests/js/dopey-rope-with-16-bit-propertyname.html (from rev 172727, trunk/LayoutTests/js/dopey-rope-with-16-bit-propertyname.html) (0 => 172789)
--- branches/safari-600.1-branch/LayoutTests/js/dopey-rope-with-16-bit-propertyname.html (rev 0)
+++ branches/safari-600.1-branch/LayoutTests/js/dopey-rope-with-16-bit-propertyname.html 2014-08-19 23:53:33 UTC (rev 172789)
@@ -0,0 +1,36 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="utf-8">
+<script src=""
+</head>
+<body>
+<script>
+
+description("Test that a 16-bit AtomicString containing only 8-bit characters doesn't confuse the JIT into thinking it's an 8-bit AtomicString.");
+
+o = {};
+
+stringWithEmoji = "zest😐";
+var test16bit = stringWithEmoji.substring(0, 4);
+
+o[test16bit] = "this makes it an AtomicString";
+
+globalRope = "";
+
+function jittable(a, b) {
+ for (var i = 0; i < 5000; ++i) {
+ poisonedRope = a + b;
+ o[poisonedRope] = 1;
+ globalRope = "foo." + poisonedRope;
+ }
+}
+
+jittable("ze", "st");
+
+shouldBe("globalRope", "'foo.zest'");
+
+</script>
+<script src=""
+</body>
+</html>
Modified: branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog (172788 => 172789)
--- branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog 2014-08-19 23:50:49 UTC (rev 172788)
+++ branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog 2014-08-19 23:53:33 UTC (rev 172789)
@@ -1,3 +1,37 @@
+2014-08-19 Dana Burkart <[email protected]>
+
+ Merge r172727. <rdar://problem/18051847>
+
+ 2014-08-18 Andreas Kling <[email protected]>
+
+ REGRESSION(r168256): JSString can get 8-bit flag wrong when re-using AtomicStrings.
+ <https://webkit.org/b/133574>
+ <rdar://problem/18051847>
+
+ The optimization that resolves JSRopeStrings into an existing
+ AtomicString (to save time and memory by avoiding StringImpl allocation)
+ had a bug that it wasn't copying the 8-bit flag from the AtomicString.
+
+ This could lead to a situation where a 16-bit StringImpl containing
+ only 8-bit characters is sitting in the AtomicString table, is found
+ by the rope resolution optimization, and gives you a rope that thinks
+ it's all 8-bit, but has a fiber with 16-bit characters.
+
+ Resolving that rope will then yield incorrect results.
+
+ This was all caught by an assertion, but very hard to reproduce.
+
+ Test: js/dopey-rope-with-16-bit-propertyname.html
+
+ Reviewed by Darin Adler.
+
+ * runtime/JSString.cpp:
+ (JSC::JSRopeString::resolveRopeToAtomicString):
+ (JSC::JSRopeString::resolveRopeToExistingAtomicString):
+ * runtime/JSString.h:
+ (JSC::JSString::setIs8Bit):
+ (JSC::JSString::toExistingAtomicString):
+
2014-08-12 Lucas Forschler <[email protected]>
Merge r172397
Modified: branches/safari-600.1-branch/Source/_javascript_Core/runtime/JSString.cpp (172788 => 172789)
--- branches/safari-600.1-branch/Source/_javascript_Core/runtime/JSString.cpp 2014-08-19 23:50:49 UTC (rev 172788)
+++ branches/safari-600.1-branch/Source/_javascript_Core/runtime/JSString.cpp 2014-08-19 23:53:33 UTC (rev 172789)
@@ -135,6 +135,7 @@
if (m_length > maxLengthForOnStackResolve) {
resolveRope(exec);
m_value = AtomicString(m_value);
+ setIs8Bit(m_value.impl()->is8Bit());
return;
}
@@ -142,10 +143,12 @@
LChar buffer[maxLengthForOnStackResolve];
resolveRopeInternal8(buffer);
m_value = AtomicString(buffer, m_length);
+ setIs8Bit(m_value.impl()->is8Bit());
} else {
UChar buffer[maxLengthForOnStackResolve];
resolveRopeInternal16(buffer);
m_value = AtomicString(buffer, m_length);
+ setIs8Bit(m_value.impl()->is8Bit());
}
clearFibers();
@@ -167,6 +170,7 @@
resolveRope(exec);
if (AtomicStringImpl* existingAtomicString = AtomicString::find(m_value.impl())) {
m_value = *existingAtomicString;
+ setIs8Bit(m_value.impl()->is8Bit());
clearFibers();
return existingAtomicString;
}
@@ -178,6 +182,7 @@
resolveRopeInternal8(buffer);
if (AtomicStringImpl* existingAtomicString = AtomicString::find(buffer, m_length)) {
m_value = *existingAtomicString;
+ setIs8Bit(m_value.impl()->is8Bit());
clearFibers();
return existingAtomicString;
}
@@ -186,6 +191,7 @@
resolveRopeInternal16(buffer);
if (AtomicStringImpl* existingAtomicString = AtomicString::find(buffer, m_length)) {
m_value = *existingAtomicString;
+ setIs8Bit(m_value.impl()->is8Bit());
clearFibers();
return existingAtomicString;
}
Modified: branches/safari-600.1-branch/Source/_javascript_Core/runtime/JSString.h (172788 => 172789)
--- branches/safari-600.1-branch/Source/_javascript_Core/runtime/JSString.h 2014-08-19 23:50:49 UTC (rev 172788)
+++ branches/safari-600.1-branch/Source/_javascript_Core/runtime/JSString.h 2014-08-19 23:53:33 UTC (rev 172789)
@@ -187,7 +187,7 @@
bool isRope() const { return m_value.isNull(); }
bool is8Bit() const { return m_flags & Is8Bit; }
- void setIs8Bit(bool flag)
+ void setIs8Bit(bool flag) const
{
if (flag)
m_flags |= Is8Bit;
@@ -201,7 +201,7 @@
bool tryHashConsLock();
void releaseHashConsLock();
- unsigned m_flags;
+ mutable unsigned m_flags;
// A string is represented either by a String or a rope of fibers.
unsigned m_length;
@@ -408,6 +408,7 @@
return static_cast<AtomicStringImpl*>(m_value.impl());
if (AtomicStringImpl* existingAtomicString = AtomicString::find(m_value.impl())) {
m_value = *existingAtomicString;
+ setIs8Bit(m_value.impl()->is8Bit());
return existingAtomicString;
}
return nullptr;
