Title: [184927] trunk/Source/_javascript_Core
- Revision
- 184927
- Author
- [email protected]
- Date
- 2015-05-27 16:47:40 -0700 (Wed, 27 May 2015)
Log Message
LazyNode comparison can return incorrect results when comparing an empty value
https://bugs.webkit.org/show_bug.cgi?id=145421
Reviewed by Geoffrey Garen.
When comparing a LazyNode to another, we compare the value pointers if
we have one, and otherwise compare the nodes.
We should be comparing value pointers if the other LazyNode has one as
well, otherwise we risk an incoherency when we are a empty LazyNode
being compared to a FrozenValue without node.
Note that this is not a problem in any other case because if we don't
have a FrozenValue and we are not an empty LazyNode, we are a
non-constant node, and comparing the node pointers is correct.
* dfg/DFGLazyNode.h:
(JSC::DFG::LazyNode::operator==):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (184926 => 184927)
--- trunk/Source/_javascript_Core/ChangeLog 2015-05-27 23:43:22 UTC (rev 184926)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-05-27 23:47:40 UTC (rev 184927)
@@ -1,3 +1,23 @@
+2015-05-27 Basile Clement <[email protected]>
+
+ LazyNode comparison can return incorrect results when comparing an empty value
+ https://bugs.webkit.org/show_bug.cgi?id=145421
+
+ Reviewed by Geoffrey Garen.
+
+ When comparing a LazyNode to another, we compare the value pointers if
+ we have one, and otherwise compare the nodes.
+ We should be comparing value pointers if the other LazyNode has one as
+ well, otherwise we risk an incoherency when we are a empty LazyNode
+ being compared to a FrozenValue without node.
+
+ Note that this is not a problem in any other case because if we don't
+ have a FrozenValue and we are not an empty LazyNode, we are a
+ non-constant node, and comparing the node pointers is correct.
+
+ * dfg/DFGLazyNode.h:
+ (JSC::DFG::LazyNode::operator==):
+
2015-05-27 Geoffrey Garen <[email protected]>
REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower
Modified: trunk/Source/_javascript_Core/dfg/DFGLazyNode.h (184926 => 184927)
--- trunk/Source/_javascript_Core/dfg/DFGLazyNode.h 2015-05-27 23:43:22 UTC (rev 184926)
+++ trunk/Source/_javascript_Core/dfg/DFGLazyNode.h 2015-05-27 23:47:40 UTC (rev 184927)
@@ -34,8 +34,6 @@
namespace JSC { namespace DFG {
-
-
class LazyNode {
public:
static const size_t jsConstantTag = 0;
@@ -119,7 +117,7 @@
bool operator==(const LazyNode& other) const
{
- if (asValue())
+ if (asValue() || other.asValue())
return m_value == other.m_value;
return m_node == other.m_node;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
