Changeset 175724 in webkit


Ignore:
Timestamp:
Nov 6, 2014 4:18:23 PM (9 years ago)
Author:
mark.lam@apple.com
Message:

slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
<https://webkit.org/b/138476>

Reviewed by Michael Saboff.

Source/JavaScriptCore:

slow_path_get_direct_pname() currently assumes that the baseValue is always a
non-constant virtual register. However, this is not always the case like in the
following:

function foo() {

var o = { a:1 };
for (var n in o)

0[n];

}
foo();

This patch fixes it to also check for constant virtual register indexes.

  • runtime/CommonSlowPaths.cpp:

(JSC::SLOW_PATH_DECL):

LayoutTests:

  • js/get-by-pname-expected.txt:
  • js/script-tests/get-by-pname.js:

(getByPnameOnConstant):
(getByPnameOnVar):

  • Added more test cases.
Location:
trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r175722 r175724  
     12014-11-06  Mark Lam  <mark.lam@apple.com>
     2
     3        slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
     4        <https://webkit.org/b/138476>
     5
     6        Reviewed by Michael Saboff.
     7
     8        * js/get-by-pname-expected.txt:
     9        * js/script-tests/get-by-pname.js:
     10        (getByPnameOnConstant):
     11        (getByPnameOnVar):
     12        - Added more test cases.
     13
    1142014-11-06  Mark Lam  <mark.lam@apple.com>
    215
  • trunk/LayoutTests/js/get-by-pname-expected.txt

    r175722 r175724  
    1010PASS foo(r) is 113
    1111PASS foo(s) is 182
     12PASS getByPnameOnConstant(a) is 0
     13PASS getByPnameOnVar(a, 100) is 0
     14PASS getByPnameOnVar(a, 'abc') is '0abc'
     15PASS getByPnameOnVar(a, o) is 0
     16PASS getByPnameOnVar(a, o1) is 4
     17PASS getByPnameOnVar(a, a) is 6
     18PASS getByPnameOnConstant(o1) is 0
     19PASS getByPnameOnVar(o1, 100) is 0
     20PASS getByPnameOnVar(o1, 'abc') is '0bc0'
     21PASS getByPnameOnVar(o1, o) is 0
     22PASS getByPnameOnVar(o1, o1) is 11
     23PASS getByPnameOnVar(o1, a) is 5
     24PASS getByPnameOnConstant(o) is 0
     25PASS getByPnameOnVar(o, 100) is 0
     26PASS getByPnameOnVar(o, 'abc') is 0
     27PASS getByPnameOnVar(o, o) is 11
     28PASS getByPnameOnVar(o, o1) is 0
     29PASS getByPnameOnVar(o, a) is 0
     30PASS getByPnameOnConstant(0) is 0
     31PASS getByPnameOnVar(0, 100) is 0
     32PASS getByPnameOnVar(0, 'abc') is 0
     33PASS getByPnameOnVar(0, o) is 0
     34PASS getByPnameOnVar(0, o1) is 0
     35PASS getByPnameOnVar(0, a) is 0
     36PASS getByPnameOnConstant('abc') is 0
     37PASS getByPnameOnVar('abc', 100) is 0
     38PASS getByPnameOnVar('abc', 'abc') is '0abc'
     39PASS getByPnameOnVar('abc', o) is 0
     40PASS getByPnameOnVar('abc', o1) is 4
     41PASS getByPnameOnVar('abc', a) is 6
     42PASS getByPnameOnVar('def', 'abc') is '0abc'
    1243
    1344Test tier: llint
     
    1748PASS foo(r) is 113
    1849PASS foo(s) is 182
     50PASS getByPnameOnConstant(a) is 0
     51PASS getByPnameOnVar(a, 100) is 0
     52PASS getByPnameOnVar(a, 'abc') is '0abc'
     53PASS getByPnameOnVar(a, o) is 0
     54PASS getByPnameOnVar(a, o1) is 4
     55PASS getByPnameOnVar(a, a) is 6
     56PASS getByPnameOnConstant(o1) is 0
     57PASS getByPnameOnVar(o1, 100) is 0
     58PASS getByPnameOnVar(o1, 'abc') is '0bc0'
     59PASS getByPnameOnVar(o1, o) is 0
     60PASS getByPnameOnVar(o1, o1) is 11
     61PASS getByPnameOnVar(o1, a) is 5
     62PASS getByPnameOnConstant(o) is 0
     63PASS getByPnameOnVar(o, 100) is 0
     64PASS getByPnameOnVar(o, 'abc') is 0
     65PASS getByPnameOnVar(o, o) is 11
     66PASS getByPnameOnVar(o, o1) is 0
     67PASS getByPnameOnVar(o, a) is 0
     68PASS getByPnameOnConstant(0) is 0
     69PASS getByPnameOnVar(0, 100) is 0
     70PASS getByPnameOnVar(0, 'abc') is 0
     71PASS getByPnameOnVar(0, o) is 0
     72PASS getByPnameOnVar(0, o1) is 0
     73PASS getByPnameOnVar(0, a) is 0
     74PASS getByPnameOnConstant('abc') is 0
     75PASS getByPnameOnVar('abc', 100) is 0
     76PASS getByPnameOnVar('abc', 'abc') is '0abc'
     77PASS getByPnameOnVar('abc', o) is 0
     78PASS getByPnameOnVar('abc', o1) is 4
     79PASS getByPnameOnVar('abc', a) is 6
     80PASS getByPnameOnVar('def', 'abc') is '0abc'
    1981
    2082Test tier: baseline
     
    2486PASS foo(r) is 113
    2587PASS foo(s) is 182
     88PASS getByPnameOnConstant(a) is 0
     89PASS getByPnameOnVar(a, 100) is 0
     90PASS getByPnameOnVar(a, 'abc') is '0abc'
     91PASS getByPnameOnVar(a, o) is 0
     92PASS getByPnameOnVar(a, o1) is 4
     93PASS getByPnameOnVar(a, a) is 6
     94PASS getByPnameOnConstant(o1) is 0
     95PASS getByPnameOnVar(o1, 100) is 0
     96PASS getByPnameOnVar(o1, 'abc') is '0bc0'
     97PASS getByPnameOnVar(o1, o) is 0
     98PASS getByPnameOnVar(o1, o1) is 11
     99PASS getByPnameOnVar(o1, a) is 5
     100PASS getByPnameOnConstant(o) is 0
     101PASS getByPnameOnVar(o, 100) is 0
     102PASS getByPnameOnVar(o, 'abc') is 0
     103PASS getByPnameOnVar(o, o) is 11
     104PASS getByPnameOnVar(o, o1) is 0
     105PASS getByPnameOnVar(o, a) is 0
     106PASS getByPnameOnConstant(0) is 0
     107PASS getByPnameOnVar(0, 100) is 0
     108PASS getByPnameOnVar(0, 'abc') is 0
     109PASS getByPnameOnVar(0, o) is 0
     110PASS getByPnameOnVar(0, o1) is 0
     111PASS getByPnameOnVar(0, a) is 0
     112PASS getByPnameOnConstant('abc') is 0
     113PASS getByPnameOnVar('abc', 100) is 0
     114PASS getByPnameOnVar('abc', 'abc') is '0abc'
     115PASS getByPnameOnVar('abc', o) is 0
     116PASS getByPnameOnVar('abc', o1) is 4
     117PASS getByPnameOnVar('abc', a) is 6
     118PASS getByPnameOnVar('def', 'abc') is '0abc'
    26119
    27120Test tier: dfg
     
    31124PASS foo(r) is 113
    32125PASS foo(s) is 182
     126PASS getByPnameOnConstant(a) is 0
     127PASS getByPnameOnVar(a, 100) is 0
     128PASS getByPnameOnVar(a, 'abc') is '0abc'
     129PASS getByPnameOnVar(a, o) is 0
     130PASS getByPnameOnVar(a, o1) is 4
     131PASS getByPnameOnVar(a, a) is 6
     132PASS getByPnameOnConstant(o1) is 0
     133PASS getByPnameOnVar(o1, 100) is 0
     134PASS getByPnameOnVar(o1, 'abc') is '0bc0'
     135PASS getByPnameOnVar(o1, o) is 0
     136PASS getByPnameOnVar(o1, o1) is 11
     137PASS getByPnameOnVar(o1, a) is 5
     138PASS getByPnameOnConstant(o) is 0
     139PASS getByPnameOnVar(o, 100) is 0
     140PASS getByPnameOnVar(o, 'abc') is 0
     141PASS getByPnameOnVar(o, o) is 11
     142PASS getByPnameOnVar(o, o1) is 0
     143PASS getByPnameOnVar(o, a) is 0
     144PASS getByPnameOnConstant(0) is 0
     145PASS getByPnameOnVar(0, 100) is 0
     146PASS getByPnameOnVar(0, 'abc') is 0
     147PASS getByPnameOnVar(0, o) is 0
     148PASS getByPnameOnVar(0, o1) is 0
     149PASS getByPnameOnVar(0, a) is 0
     150PASS getByPnameOnConstant('abc') is 0
     151PASS getByPnameOnVar('abc', 100) is 0
     152PASS getByPnameOnVar('abc', 'abc') is '0abc'
     153PASS getByPnameOnVar('abc', o) is 0
     154PASS getByPnameOnVar('abc', o1) is 4
     155PASS getByPnameOnVar('abc', a) is 6
     156PASS getByPnameOnVar('def', 'abc') is '0abc'
    33157
    34158PASS successfullyParsed is true
  • trunk/LayoutTests/js/script-tests/get-by-pname.js

    r175722 r175724  
    1010}
    1111
     12function getByPnameOnConstant(o) {
     13    var result = 0;
     14    for (var n in o)
     15        result += 0[n] ? 0[n] : 0;
     16    return result;
     17}
     18
     19function getByPnameOnVar(o, v) {
     20    var result = 0;
     21    for (var n in o)
     22        result += v[n] ? v[n] : 0;
     23    return result;
     24}
     25
    1226var o = {a:1, b:3, c:7};
    1327var p = {a:1, b:2, c:3, d:4};
     
    1529var r = {a:1, b:2, c:3, d:4, e:91, f:12};
    1630var s = {a:1, b:2, c:3, d:4, e:91, f:12, g:69};
     31
     32var a = [1, 2, 3];
     33var o1 = {"1":1, "2":3, "3":7};
    1734
    1835var testCases = [
     
    2239    [ "foo(r)", "113" ],
    2340    [ "foo(s)", "182" ],
     41
     42    [ "getByPnameOnConstant(a)", "0" ],
     43    [ "getByPnameOnVar(a, 100)", "0" ],
     44    [ "getByPnameOnVar(a, 'abc')", "'0abc'" ],
     45    [ "getByPnameOnVar(a, o)", "0" ],
     46    [ "getByPnameOnVar(a, o1)", "4" ],
     47    [ "getByPnameOnVar(a, a)", "6" ],
     48
     49    [ "getByPnameOnConstant(o1)", "0" ],
     50    [ "getByPnameOnVar(o1, 100)", "0" ],
     51    [ "getByPnameOnVar(o1, 'abc')", "'0bc0'" ],
     52    [ "getByPnameOnVar(o1, o)", "0" ],
     53    [ "getByPnameOnVar(o1, o1)", "11" ],
     54    [ "getByPnameOnVar(o1, a)", "5" ],
     55
     56    [ "getByPnameOnConstant(o)", "0" ],
     57    [ "getByPnameOnVar(o, 100)", "0" ],
     58    [ "getByPnameOnVar(o, 'abc')", "0" ],
     59    [ "getByPnameOnVar(o, o)", "11" ],
     60    [ "getByPnameOnVar(o, o1)", "0" ],
     61    [ "getByPnameOnVar(o, a)", "0" ],
     62
     63    [ "getByPnameOnConstant(0)", "0" ],
     64    [ "getByPnameOnVar(0, 100)", "0" ],
     65    [ "getByPnameOnVar(0, 'abc')", "0" ],
     66    [ "getByPnameOnVar(0, o)", "0" ],
     67    [ "getByPnameOnVar(0, o1)", "0" ],
     68    [ "getByPnameOnVar(0, a)", "0" ],
     69
     70    [ "getByPnameOnConstant('abc')", "0" ],
     71    [ "getByPnameOnVar('abc', 100)", "0" ],
     72    [ "getByPnameOnVar('abc', 'abc')", "'0abc'" ],
     73    [ "getByPnameOnVar('abc', o)", "0" ],
     74    [ "getByPnameOnVar('abc', o1)", "4" ],
     75    [ "getByPnameOnVar('abc', a)", "6" ],
     76    [ "getByPnameOnVar('def', 'abc')", "'0abc'" ],
    2477];
    2578
  • trunk/Source/JavaScriptCore/ChangeLog

    r175706 r175724  
     12014-11-06  Mark Lam  <mark.lam@apple.com>
     2
     3        slow_path_get_direct_pname() needs to be hardened against a constant baseValue.
     4        <https://webkit.org/b/138476>
     5
     6        Reviewed by Michael Saboff.
     7
     8        slow_path_get_direct_pname() currently assumes that the baseValue is always a
     9        non-constant virtual register.  However, this is not always the case like in the
     10        following:
     11
     12            function foo() {
     13                var o = { a:1 };
     14                for (var n in o)
     15                    0[n];
     16            }
     17            foo();
     18
     19        This patch fixes it to also check for constant virtual register indexes.
     20
     21        * runtime/CommonSlowPaths.cpp:
     22        (JSC::SLOW_PATH_DECL):
     23
    1242014-11-06  Michael Saboff  <msaboff@apple.com>
    225
  • trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

    r174401 r175724  
    570570{
    571571    BEGIN();
    572     JSValue baseValue = OP(2).jsValue();
     572    JSValue baseValue = OP_C(2).jsValue();
    573573    JSValue property = OP(3).jsValue();
    574574    ASSERT(property.isString());
Note: See TracChangeset for help on using the changeset viewer.