<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195462] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195462">195462</a></dd>
<dt>Author</dt> <dd>keith_miller@apple.com</dd>
<dt>Date</dt> <dd>2016-01-22 11:31:06 -0800 (Fri, 22 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
https://bugs.webkit.org/show_bug.cgi?id=152912
Reviewed by Mark Lam.
When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
thus the offset is now invalid.
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
* tests/stress/global-property-into-variable-get-from-scope.js: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodePropertyConditioncpp">trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstressglobalpropertyintovariablegetfromscopejs">trunk/Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (195461 => 195462)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-01-22 18:47:38 UTC (rev 195461)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-01-22 19:31:06 UTC (rev 195462)
</span><span class="lines">@@ -1,5 +1,21 @@
</span><span class="cx"> 2016-01-22 Keith Miller <keith_miller@apple.com>
</span><span class="cx">
</span><ins>+ Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
+ https://bugs.webkit.org/show_bug.cgi?id=152912
+
+ Reviewed by Mark Lam.
+
+ When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
+ the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
+ The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
+ thus the offset is now invalid.
+
+ * bytecode/PropertyCondition.cpp:
+ (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
+ * tests/stress/global-property-into-variable-get-from-scope.js: Added.
+
+2016-01-22 Keith Miller <keith_miller@apple.com>
+
</ins><span class="cx"> [ES6] Add Symbol.species properties to the relevant constructors
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=153339
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodePropertyConditioncpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp (195461 => 195462)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp 2016-01-22 18:47:38 UTC (rev 195461)
+++ trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp 2016-01-22 19:31:06 UTC (rev 195462)
</span><span class="lines">@@ -172,6 +172,15 @@
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=134641
</span><span class="cx">
</span><span class="cx"> PropertyOffset currentOffset = structure->getConcurrently(uid());
</span><ins>+ if (currentOffset == invalidOffset) {
+ if (verbose) {
+ dataLog(
+ "Invalid because the base no long appears to have ", uid(), " on its structure: ",
+ RawPointer(base), "\n");
+ }
+ return false;
+ }
+
</ins><span class="cx"> JSValue currentValue = base->getDirect(currentOffset);
</span><span class="cx"> if (currentValue != requiredValue()) {
</span><span class="cx"> if (verbose) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressglobalpropertyintovariablegetfromscopejs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js (0 => 195462)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js 2016-01-22 19:31:06 UTC (rev 195462)
</span><span class="lines">@@ -0,0 +1,13 @@
</span><ins>+// This tests a bug that occured because we have noInline as a global
+// property then is set to a global variable in the load of standalone-pre.js.
+// Once we get to the DFG we still think that noInline is a global property
+// based on an old global object structure. This would cause a crash when we
+// attempted to create an equivalence condition for the get_from_scope of
+// noInline as the current global object would not have noInline as a property
+// at that point and we would attempt to access the value at an invalid offset.
+
+load("resources/standalone-pre.js");
+
+noInline();
+
+for (i = 0; i < 100000; i++);
</ins></span></pre>
</div>
</div>
</body>
</html>