Changeset 195462 in webkit


Ignore:
Timestamp:
Jan 22, 2016 11:31:06 AM (8 years ago)
Author:
keith_miller@apple.com
Message:

Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
https://bugs.webkit.org/show_bug.cgi?id=152912

Reviewed by Mark Lam.

When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
thus the offset is now invalid.

  • bytecode/PropertyCondition.cpp:

(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):

  • tests/stress/global-property-into-variable-get-from-scope.js: Added.
Location:
trunk/Source/JavaScriptCore
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r195460 r195462  
     12016-01-22  Keith Miller  <keith_miller@apple.com>
     2
     3        Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
     4        https://bugs.webkit.org/show_bug.cgi?id=152912
     5
     6        Reviewed by Mark Lam.
     7
     8        When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
     9        the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
     10        The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
     11        thus the offset is now invalid.
     12
     13        * bytecode/PropertyCondition.cpp:
     14        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
     15        * tests/stress/global-property-into-variable-get-from-scope.js: Added.
     16
    1172016-01-22  Keith Miller  <keith_miller@apple.com>
    218
  • trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

    r192693 r195462  
    173173       
    174174        PropertyOffset currentOffset = structure->getConcurrently(uid());
     175        if (currentOffset == invalidOffset) {
     176            if (verbose) {
     177                dataLog(
     178                    "Invalid because the base no long appears to have ", uid(), " on its structure: ",
     179                        RawPointer(base), "\n");
     180            }
     181            return false;
     182        }
     183
    175184        JSValue currentValue = base->getDirect(currentOffset);
    176185        if (currentValue != requiredValue()) {
Note: See TracChangeset for help on using the changeset viewer.