Title: [183564] trunk/Source/_javascript_Core
- Revision
- 183564
- Author
- [email protected]
- Date
- 2015-04-29 12:00:12 -0700 (Wed, 29 Apr 2015)
Log Message
Safari WebKit crash when loading Google Spreadsheet.
https://bugs.webkit.org/show_bug.cgi?id=144020
Reviewed by Filip Pizlo.
The bug is that the object allocation sinking phase did not account for a case
where a property of a sunken object is only initialized on one path and not
another. As a result, on the path where the property is not initialized, we'll
encounter an Upsilon with a BottomValue (which is not allowed by definition).
The fix is to use a JSConstant(undefined) as the bottom value instead (of
BottomValue). If the property is uninitialized, it should still be accessible
and have the value undefined.
* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
* tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added.
(foo):
(foo2):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (183563 => 183564)
--- trunk/Source/_javascript_Core/ChangeLog 2015-04-29 18:51:23 UTC (rev 183563)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-04-29 19:00:12 UTC (rev 183564)
@@ -1,3 +1,25 @@
+2015-04-29 Mark Lam <[email protected]>
+
+ Safari WebKit crash when loading Google Spreadsheet.
+ https://bugs.webkit.org/show_bug.cgi?id=144020
+
+ Reviewed by Filip Pizlo.
+
+ The bug is that the object allocation sinking phase did not account for a case
+ where a property of a sunken object is only initialized on one path and not
+ another. As a result, on the path where the property is not initialized, we'll
+ encounter an Upsilon with a BottomValue (which is not allowed by definition).
+
+ The fix is to use a JSConstant(undefined) as the bottom value instead (of
+ BottomValue). If the property is uninitialized, it should still be accessible
+ and have the value undefined.
+
+ * dfg/DFGObjectAllocationSinkingPhase.cpp:
+ (JSC::DFG::ObjectAllocationSinkingPhase::promoteSunkenFields):
+ * tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js: Added.
+ (foo):
+ (foo2):
+
2015-04-29 Yusuke Suzuki <[email protected]>
REGRESSION (r183373): ASSERT failed in wtf/SHA1.h
Modified: trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp (183563 => 183564)
--- trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2015-04-29 18:51:23 UTC (rev 183563)
+++ trunk/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2015-04-29 19:00:12 UTC (rev 183564)
@@ -641,7 +641,7 @@
Node* bottom = nullptr;
for (BasicBlock* block : m_graph.blocksInNaturalOrder()) {
if (block == m_graph.block(0))
- bottom = m_insertionSet.insertNode(0, SpecNone, BottomValue, NodeOrigin());
+ bottom = m_insertionSet.insertConstant(0, NodeOrigin(), jsUndefined());
for (unsigned nodeIndex = 0; nodeIndex < block->size(); ++nodeIndex) {
Node* node = block->at(nodeIndex);
Added: trunk/Source/_javascript_Core/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js (0 => 183564)
--- trunk/Source/_javascript_Core/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/object-allocation-sinking-with-uninitialized-property-on-one-path.js 2015-04-29 19:00:12 UTC (rev 183564)
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+// Regression test for https://bugs.webkit.org/show_bug.cgi?id=144020.
+// This test should not crash.
+
+// What happened in the bug:
+function foo(p) {
+ var b = {};
+ b.a = {};
+ if (p)
+ b.a.C = p.q;
+ return b.a.C;
+}
+noInline(foo);
+
+for (var i = 0; i < 10000; i++)
+ foo(true);
+
+// A reduced version:
+function foo2(p) {
+ var o = {};
+ if (p)
+ o.f = {};
+ return o.f;
+}
+noInline(foo2);
+
+for (var i = 0; i < 10000; i++)
+ foo2(true);
+
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
