Title: [195462] trunk/Source/_javascript_Core
- Revision
- 195462
- Author
- [email protected]
- Date
- 2016-01-22 11:31:06 -0800 (Fri, 22 Jan 2016)
Log Message
Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
https://bugs.webkit.org/show_bug.cgi?id=152912
Reviewed by Mark Lam.
When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
thus the offset is now invalid.
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
* tests/stress/global-property-into-variable-get-from-scope.js: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (195461 => 195462)
--- trunk/Source/_javascript_Core/ChangeLog 2016-01-22 18:47:38 UTC (rev 195461)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-01-22 19:31:06 UTC (rev 195462)
@@ -1,5 +1,21 @@
2016-01-22 Keith Miller <[email protected]>
+ Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
+ https://bugs.webkit.org/show_bug.cgi?id=152912
+
+ Reviewed by Mark Lam.
+
+ When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
+ the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
+ The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
+ thus the offset is now invalid.
+
+ * bytecode/PropertyCondition.cpp:
+ (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
+ * tests/stress/global-property-into-variable-get-from-scope.js: Added.
+
+2016-01-22 Keith Miller <[email protected]>
+
[ES6] Add Symbol.species properties to the relevant constructors
https://bugs.webkit.org/show_bug.cgi?id=153339
Modified: trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp (195461 => 195462)
--- trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2016-01-22 18:47:38 UTC (rev 195461)
+++ trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp 2016-01-22 19:31:06 UTC (rev 195462)
@@ -172,6 +172,15 @@
// https://bugs.webkit.org/show_bug.cgi?id=134641
PropertyOffset currentOffset = structure->getConcurrently(uid());
+ if (currentOffset == invalidOffset) {
+ if (verbose) {
+ dataLog(
+ "Invalid because the base no long appears to have ", uid(), " on its structure: ",
+ RawPointer(base), "\n");
+ }
+ return false;
+ }
+
JSValue currentValue = base->getDirect(currentOffset);
if (currentValue != requiredValue()) {
if (verbose) {
Added: trunk/Source/_javascript_Core/tests/stress/global-property-into-variable-get-from-scope.js (0 => 195462)
--- trunk/Source/_javascript_Core/tests/stress/global-property-into-variable-get-from-scope.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/global-property-into-variable-get-from-scope.js 2016-01-22 19:31:06 UTC (rev 195462)
@@ -0,0 +1,13 @@
+// This tests a bug that occured because we have noInline as a global
+// property then is set to a global variable in the load of standalone-pre.js.
+// Once we get to the DFG we still think that noInline is a global property
+// based on an old global object structure. This would cause a crash when we
+// attempted to create an equivalence condition for the get_from_scope of
+// noInline as the current global object would not have noInline as a property
+// at that point and we would attempt to access the value at an invalid offset.
+
+load("resources/standalone-pre.js");
+
+noInline();
+
+for (i = 0; i < 100000; i++);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
