Changeset 206844 in webkit


Ignore:
Timestamp:
Oct 5, 2016 9:24:57 PM (8 years ago)
Author:
Yusuke Suzuki
Message:

[JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case
https://bugs.webkit.org/show_bug.cgi?id=162993

Reviewed by Filip Pizlo.

We accidentally created a Simple GetByIdStatus against self-custom-accessor case: the object has own custom accessor property and get_by_id hits.
If we returned such a result, the GetById will be turned to GetByOffset and it looks up incorrect thing like CustomGetterSetter object.
We do not hit this bug before since maybe there is no object that has own custom-accessor and this custom-accessor does not raise an error.
For example, "Node.prototype" has "firstChild" custom accessor. But since "Node.prototype" itself does not have Node::info(), "Node.prototype.firstChild"
access always raises an error. I guess all the custom accessors follow this pattern. This bug is uncovered when testing DOMJIT (This bug causes crash and
it can occur even if we disabled DOMJIT).

But such a assumption is not guaranteed. In this patch, we fix this by not returning Simple GetById.

  • bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByIdStatus::computeFor):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r206841 r206844  
     12016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>
     2
     3        [JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case
     4        https://bugs.webkit.org/show_bug.cgi?id=162993
     5
     6        Reviewed by Filip Pizlo.
     7
     8        We accidentally created a Simple GetByIdStatus against self-custom-accessor case: the object has own custom accessor property and get_by_id hits.
     9        If we returned such a result, the GetById will be turned to GetByOffset and it looks up incorrect thing like CustomGetterSetter object.
     10        We do not hit this bug before since maybe there is no object that has own custom-accessor and this custom-accessor does not raise an error.
     11        For example, "Node.prototype" has "firstChild" custom accessor. But since "Node.prototype" itself does not have Node::info(), "Node.prototype.firstChild"
     12        access always raises an error. I guess all the custom accessors follow this pattern. This bug is uncovered when testing DOMJIT (This bug causes crash and
     13        it can occur even if we disabled DOMJIT).
     14
     15        But such a assumption is not guaranteed. In this patch, we fix this by not returning Simple GetById.
     16
     17        * bytecode/GetByIdStatus.cpp:
     18        (JSC::GetByIdStatus::computeFromLLInt):
     19        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
     20        (JSC::GetByIdStatus::computeFor):
     21
    1222016-10-05  Saam Barati  <sbarati@apple.com>
    223

  • trunk/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp

    r206779 r206844  
    9898        return GetByIdStatus(NoInformation, false);
    9999
    100     unsigned attributesIgnored;
    101     PropertyOffset offset = structure->getConcurrently(uid, attributesIgnored);
     100    unsigned attributes;
     101    PropertyOffset offset = structure->getConcurrently(uid, attributes);
    102102    if (!isValidOffset(offset))
     103        return GetByIdStatus(NoInformation, false);
     104    if (attributes & CustomAccessor)
    103105        return GetByIdStatus(NoInformation, false);
    104106   
     
    177179        if (structure->takesSlowPathInDFGForImpureProperty())
    178180            return GetByIdStatus(slowPathState, true);
    179         unsigned attributesIgnored;
     181        unsigned attributes;
    180182        GetByIdVariant variant;
    181         variant.m_offset = structure->getConcurrently(uid, attributesIgnored);
     183        variant.m_offset = structure->getConcurrently(uid, attributes);
    182184        if (!isValidOffset(variant.m_offset))
     185            return GetByIdStatus(slowPathState, true);
     186        if (attributes & CustomAccessor)
    183187            return GetByIdStatus(slowPathState, true);
    184188       
     
    344348        if (attributes & Accessor)
    345349            return GetByIdStatus(MakesCalls); // We could be smarter here, like strength-reducing this to a Call.
     350        if (attributes & CustomAccessor)
     351            return GetByIdStatus(TakesSlowPath);
    346352       
    347353        if (!result.appendVariant(GetByIdVariant(structure, offset)))
Note: See TracChangeset for help on using the changeset viewer.