Changeset 182050 in webkit

Timestamp:

Mar 26, 2015, 7:55:57 PM (10 years ago)

Author:

Joseph Pecoraro

Message:

WebContent Crash when instantiating class with Type Profiling enabled
​https://bugs.webkit.org/show_bug.cgi?id=143037

Reviewed by Ryosuke Niwa.

• bytecompiler/BytecodeGenerator.h:
• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::emitMoveEmptyValue):
We cannot profile the type of an uninitialized empty JSValue.
Nor do we expect this to be necessary, since it is effectively
an unseen undefined value. So add a way to put the empty value
without profiling.

(JSC::BytecodeGenerator::emitMove):
Add an assert to try to catch this issue early on, and force
callers to explicitly use emitMoveEmptyValue instead.

• tests/typeProfiler/classes.js: Added.

(wrapper.Base):
(wrapper.Derived):
(wrapper):
Add test coverage both for this case and classes in general.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• bytecompiler/BytecodeGenerator.cpp (modified) (2 diffs)
• bytecompiler/BytecodeGenerator.h (modified) (1 diff)
• tests/typeProfiler/classes.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
+
+        WebContent Crash when instantiating class with Type Profiling enabled
+        https://bugs.webkit.org/show_bug.cgi?id=143037
+
+        Reviewed by Ryosuke Niwa.
+
+        * bytecompiler/BytecodeGenerator.h:
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::emitMoveEmptyValue):
+        We cannot profile the type of an uninitialized empty JSValue.
+        Nor do we expect this to be necessary, since it is effectively
+        an unseen undefined value. So add a way to put the empty value
+        without profiling.
+
+        (JSC::BytecodeGenerator::emitMove):
+        Add an assert to try to catch this issue early on, and force
+        callers to explicitly use emitMoveEmptyValue instead.
+
+        * tests/typeProfiler/classes.js: Added.
+        (wrapper.Base):
+        (wrapper.Derived):
+        (wrapper):
+        Add test coverage both for this case and classes in general.
+
 2015-03-26  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -474 +474 @@
             m_newTargetRegister = addVar();
             emitMove(m_newTargetRegister, &m_thisRegister);
-            emitMove(&m_thisRegister, addConstantEmptyValue());
+            emitMoveEmptyValue(&m_thisRegister);
         } else
             emitCreateThis(&m_thisRegister);
@@ -993 +993 @@
 }
 
+RegisterID* BytecodeGenerator::emitMoveEmptyValue(RegisterID* dst)
+{
+    RefPtr<RegisterID> emptyValue = addConstantEmptyValue();
+
+    emitOpcode(op_mov);
+    instructions().append(dst->index());
+    instructions().append(emptyValue->index());
+    return dst;
+}
+
 RegisterID* BytecodeGenerator::emitMove(RegisterID* dst, RegisterID* src)
 {
+    ASSERT(src != m_emptyValueRegister);
+
     m_staticPropertyAnalyzer.mov(dst->index(), src->index());
     emitOpcode(op_mov);

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -457 +457 @@
         RegisterID* emitNewRegExp(RegisterID* dst, RegExp*);
 
+        RegisterID* emitMoveEmptyValue(RegisterID* dst);
         RegisterID* emitMove(RegisterID* dst, RegisterID* src);