<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200980] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200980">200980</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2016-05-16 16:27:27 -0700 (Mon, 16 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>TypeSet/StructureShape have a flawed sense of JS prototype chains
https://bugs.webkit.org/show_bug.cgi?id=157760
Reviewed by Joseph Pecoraro.
There was an assumption that we would bottom out in "Object". This is
not true for many reasons. JS objects may not end in Object.prototype.
Also, our mechanism of grabbing an Object's class name may also not
bottom out in "Object". We were seeing this in the JS objects we use
in the InjectedScriptSource.js inspector script.
* runtime/TypeSet.cpp:
(JSC::StructureShape::leastCommonAncestor):
* tests/typeProfiler/weird-prototype-chain.js: Added.
(wrapper.foo):
(wrapper.let.o2):
(wrapper):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeTypeSetcpp">trunk/Source/JavaScriptCore/runtime/TypeSet.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreteststypeProfilerweirdprototypechainjs">trunk/Source/JavaScriptCore/tests/typeProfiler/weird-prototype-chain.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (200979 => 200980)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog        2016-05-16 23:21:32 UTC (rev 200979)
+++ trunk/Source/JavaScriptCore/ChangeLog        2016-05-16 23:27:27 UTC (rev 200980)
</span><span class="lines">@@ -1,3 +1,23 @@
</span><ins>+2016-05-16 Saam barati <sbarati@apple.com>
+
+ TypeSet/StructureShape have a flawed sense of JS prototype chains
+ https://bugs.webkit.org/show_bug.cgi?id=157760
+
+ Reviewed by Joseph Pecoraro.
+
+ There was an assumption that we would bottom out in "Object". This is
+ not true for many reasons. JS objects may not end in Object.prototype.
+ Also, our mechanism of grabbing an Object's class name may also not
+ bottom out in "Object". We were seeing this in the JS objects we use
+ in the InjectedScriptSource.js inspector script.
+
+ * runtime/TypeSet.cpp:
+ (JSC::StructureShape::leastCommonAncestor):
+ * tests/typeProfiler/weird-prototype-chain.js: Added.
+ (wrapper.foo):
+ (wrapper.let.o2):
+ (wrapper):
+
</ins><span class="cx"> 2016-05-16 Joseph Pecoraro <pecoraro@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeTypeSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/TypeSet.cpp (200979 => 200980)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/TypeSet.cpp        2016-05-16 23:21:32 UTC (rev 200979)
+++ trunk/Source/JavaScriptCore/runtime/TypeSet.cpp        2016-05-16 23:27:27 UTC (rev 200980)
</span><span class="lines">@@ -386,8 +386,10 @@
</span><span class="cx"> }
</span><span class="cx"> if (!foundLUB) {
</span><span class="cx"> origin = origin->m_proto;
</span><del>- // All Objects must share the 'Object' Prototype. Therefore, at the very least, we should always converge on 'Object' before reaching a null prototype.
- RELEASE_ASSERT(origin);
</del><ins>+ // This is unlikely to happen, because we usually bottom out at "Object", but there are some sets of Objects
+ // that may cause this behavior. We fall back to "Object" because it's our version of Top.
+ if (!origin)
+ return ASCIILiteral("Object");
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreteststypeProfilerweirdprototypechainjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/typeProfiler/weird-prototype-chain.js (0 => 200980)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/typeProfiler/weird-prototype-chain.js         (rev 0)
+++ trunk/Source/JavaScriptCore/tests/typeProfiler/weird-prototype-chain.js        2016-05-16 23:27:27 UTC (rev 200980)
</span><span class="lines">@@ -0,0 +1,21 @@
</span><ins>+load("./driver/driver.js");
+
+function wrapper() {
+
+function foo(o) {
+ let variableName = o;
+ return variableName;
+}
+let o1 = new Number;
+o1.__proto__ = null;
+foo(o1);
+
+let o2 = function() {}
+foo(o2);
+
+}
+wrapper();
+
+// ====== End test cases ======
+var types = findTypeForExpression(wrapper, "variableName;");
+assert(types.instructionTypeSet.displayTypeName === "Object", "'Object' should be our TOP.");
</ins></span></pre>
</div>
</div>
</body>
</html>