Skip to site navigation (Press enter)

[webkit-changes] [182050] trunk/Source/JavaScriptCore

joepeck Thu, 26 Mar 2015 19:56:47 -0700

Title: [182050] trunk/Source/_javascript_Core

Revision: 182050
Author: [email protected]
Date: 2015-03-26 19:55:57 -0700 (Thu, 26 Mar 2015)

Log Message

WebContent Crash when instantiating class with Type Profiling enabled
https://bugs.webkit.org/show_bug.cgi?id=143037


Reviewed by Ryosuke Niwa.

* bytecompiler/BytecodeGenerator.h:
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMoveEmptyValue):
We cannot profile the type of an uninitialized empty JSValue.
Nor do we expect this to be necessary, since it is effectively
an unseen undefined value. So add a way to put the empty value
without profiling.

(JSC::BytecodeGenerator::emitMove):
Add an assert to try to catch this issue early on, and force
callers to explicitly use emitMoveEmptyValue instead.

* tests/typeProfiler/classes.js: Added.
(wrapper.Base):
(wrapper.Derived):
(wrapper):
Add test coverage both for this case and classes in general.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h

Added Paths

trunk/Source/_javascript_Core/tests/typeProfiler/classes.js

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (182049 => 182050)


--- trunk/Source/_javascript_Core/ChangeLog	2015-03-27 02:24:55 UTC (rev 182049)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-03-27 02:55:57 UTC (rev 182050)
@@ -1,5 +1,31 @@
 2015-03-26  Joseph Pecoraro  <[email protected]>
 
+        WebContent Crash when instantiating class with Type Profiling enabled
+        https://bugs.webkit.org/show_bug.cgi?id=143037
+
+        Reviewed by Ryosuke Niwa.
+
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitMoveEmptyValue):
+        We cannot profile the type of an uninitialized empty JSValue.
+        Nor do we expect this to be necessary, since it is effectively
+        an unseen undefined value. So add a way to put the empty value
+        without profiling.
+
+        (JSC::BytecodeGenerator::emitMove):
+        Add an assert to try to catch this issue early on, and force
+        callers to explicitly use emitMoveEmptyValue instead.
+
+        * tests/typeProfiler/classes.js: Added.
+        (wrapper.Base):
+        (wrapper.Derived):
+        (wrapper):
+        Add test coverage both for this case and classes in general.
+
+2015-03-26  Joseph Pecoraro  <[email protected]>
+
         Web Inspector: ES6: Provide a better view for Classes in the console
         https://bugs.webkit.org/show_bug.cgi?id=142999

Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (182049 => 182050)


--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2015-03-27 02:24:55 UTC (rev 182049)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2015-03-27 02:55:57 UTC (rev 182050)
@@ -473,7 +473,7 @@
         if (constructorKind() == ConstructorKind::Derived) {
             m_newTargetRegister = addVar();
             emitMove(m_newTargetRegister, &m_thisRegister);
-            emitMove(&m_thisRegister, addConstantEmptyValue());
+            emitMoveEmptyValue(&m_thisRegister);
         } else
             emitCreateThis(&m_thisRegister);
     } else if (constructorKind() != ConstructorKind::None) {
@@ -992,8 +992,20 @@
     return m_codeBlock->addRegExp(r);
 }
 
+RegisterID* BytecodeGenerator::emitMoveEmptyValue(RegisterID* dst)
+{
+    RefPtr<RegisterID> emptyValue = addConstantEmptyValue();
+
+    emitOpcode(op_mov);
+    instructions().append(dst->index());
+    instructions().append(emptyValue->index());
+    return dst;
+}
+
 RegisterID* BytecodeGenerator::emitMove(RegisterID* dst, RegisterID* src)
 {
+    ASSERT(src != m_emptyValueRegister);
+
     m_staticPropertyAnalyzer.mov(dst->index(), src->index());
     emitOpcode(op_mov);
     instructions().append(dst->index());

Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h (182049 => 182050)


--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2015-03-27 02:24:55 UTC (rev 182049)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2015-03-27 02:55:57 UTC (rev 182050)
@@ -456,6 +456,7 @@
         RegisterID* emitNewDefaultConstructor(RegisterID* dst, ConstructorKind, const Identifier& name);
         RegisterID* emitNewRegExp(RegisterID* dst, RegExp*);
 
+        RegisterID* emitMoveEmptyValue(RegisterID* dst);
         RegisterID* emitMove(RegisterID* dst, RegisterID* src);
 
         RegisterID* emitToNumber(RegisterID* dst, RegisterID* src) { return emitUnaryOp(op_to_number, dst, src); }

Added: trunk/Source/_javascript_Core/tests/typeProfiler/classes.js (0 => 182050)


--- trunk/Source/_javascript_Core/tests/typeProfiler/classes.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/typeProfiler/classes.js	2015-03-27 02:55:57 UTC (rev 182050)
@@ -0,0 +1,29 @@
+load("./driver/driver.js");
+
+function wrapper() {
+
+class Base { constructor() { this._base = true; } };
+class Derived extends Base { constructor() { super(); this._derived = true; } };
+
+var baseInstance = new Base;
+var derivedInstance = new Derived;
+
+}
+wrapper();
+
+// ====== End test cases ======
+
+var types = findTypeForExpression(wrapper, "baseInstance = new Base");
+assert(types.globalTypeSet.displayTypeName === "Base", "variable 'baseInstance' should have displayTypeName 'Base'");
+assert(types.instructionTypeSet.displayTypeName === "Base", "variable 'baseInstance' should have displayTypeName 'Base'");
+assert(types.instructionTypeSet.structures.length === 1, "Variable 'baseInstance' should have one structure");
+assert(types.instructionTypeSet.structures[0].fields.length === 1, "variable 'baseInstance' should have one field: _base");
+assert(types.instructionTypeSet.structures[0].fields.indexOf("_base") !== -1, "variable 'baseInstance' should have field '_base'");
+
+types = findTypeForExpression(wrapper, "derivedInstance = new Derived");
+assert(types.globalTypeSet.displayTypeName === "Derived", "variable 'derivedInstance' should have displayTypeName 'Derived'");
+assert(types.instructionTypeSet.displayTypeName === "Derived", "variable 'derivedInstance' should have displayTypeName 'Derived'");
+assert(types.instructionTypeSet.structures.length === 1, "Variable 'derivedInstance' should have one structure");
+assert(types.instructionTypeSet.structures[0].fields.length === 2, "variable 'derivedInstance' should have one field: _base,_derived");
+assert(types.instructionTypeSet.structures[0].fields.indexOf("_base") !== -1, "variable 'derivedInstance' should have field '_base'");
+assert(types.instructionTypeSet.structures[0].fields.indexOf("_derived") !== -1, "variable 'derivedInstance' should have field '_derived'");

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes