Changeset 255416 in webkit

Timestamp:

Jan 29, 2020, 9:51:43 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
​https://bugs.webkit.org/show_bug.cgi?id=206981
<rdar://problem/58985736>

Reviewed by Keith Miller.

JSTests:

• stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js: Added.

Source/JavaScriptCore:

InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only
called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(),
which in turn is only called from InternalFunction::createSubclassStructureSlow().

InternalFunction::createSubclassStructureSlow() only allows a call to
FunctionRareData::createInternalFunctionAllocationStructureFromBase() under
certain conditions. One of these conditions is that the baseGlobalObject is
different than the newTarget's globalObject.

InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an
ASSERT on the same set of conditions, with one ommission: the one above. This
patch fixes the ASSERT by adding the missing condition to match the check in
InternalFunction::createSubclassStructureSlow().

• bytecode/InternalFunctionAllocationProfile.h:

(JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h (modified) (1 diff)

trunk/JSTests/ChangeLog

@@ +1 @@
+2020-01-29  Mark Lam  <mark.lam@apple.com>
+
+        Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
+        https://bugs.webkit.org/show_bug.cgi?id=206981
+        <rdar://problem/58985736>
+
+        Reviewed by Keith Miller.
+
+        * stress/InternalFunctionAllocationProfile-createAllocationStructureFromBase-should-allow-for-same-classInfo-from-different-globals.js: Added.
+
 2020-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-01-29  Mark Lam  <mark.lam@apple.com>
+
+        Fix bad assertion in InternalFunctionAllocationProfile::createAllocationStructureFromBase().
+        https://bugs.webkit.org/show_bug.cgi?id=206981
+        <rdar://problem/58985736>
+
+        Reviewed by Keith Miller.
+
+        InternalFunctionAllocationProfile::createAllocationStructureFromBase() is only
+        called from FunctionRareData::createInternalFunctionAllocationStructureFromBase(),
+        which in turn is only called from InternalFunction::createSubclassStructureSlow().
+
+        InternalFunction::createSubclassStructureSlow() only allows a call to
+        FunctionRareData::createInternalFunctionAllocationStructureFromBase() under
+        certain conditions.  One of these conditions is that the baseGlobalObject is
+        different than the newTarget's globalObject.
+
+        InternalFunctionAllocationProfile::createAllocationStructureFromBase() has an
+        ASSERT on the same set of conditions, with one ommission: the one above.  This
+        patch fixes the ASSERT by adding the missing condition to match the check in
+        InternalFunction::createSubclassStructureSlow().
+
+        * bytecode/InternalFunctionAllocationProfile.h:
+        (JSC::InternalFunctionAllocationProfile::createAllocationStructureFromBase):
+
 2020-01-29  Robin Morisset  <rmorisset@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/InternalFunctionAllocationProfile.h

@@ -48 +48 @@
 inline Structure* InternalFunctionAllocationProfile::createAllocationStructureFromBase(VM& vm, JSGlobalObject* baseGlobalObject, JSCell* owner, JSObject* prototype, Structure* baseStructure)
 {
-    ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo());
+    ASSERT(!m_structure || m_structure.get()->classInfo() != baseStructure->classInfo() || m_structure->globalObject() != baseGlobalObject);
     ASSERT(baseStructure->hasMonoProto());