WebKit Bugzilla
Attachment 342089 Details for
Bug 186363
: generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for landing
a-backup.diff (text/plain), 3.57 KB, created by
Saam Barati
on 2018-06-06 15:59:49 PDT
(
hide
)
Description:
patch for landing
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2018-06-06 15:59:49 PDT
Size:
3.57 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 232559) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,12 @@ >+2018-06-06 Saam Barati <sbarati@apple.com> >+ >+ generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype >+ https://bugs.webkit.org/show_bug.cgi?id=186363 >+ >+ Rubber-stamped by Filip Pizlo. >+ >+ * stress/instance-of-on-poly-proto-opc-should-not-crash.js: Added. >+ > 2018-06-05 David Fenton <david_fenton@apple.com> > > Temporarily Skip JSC stress test failures that are consistently occurring. >Index: JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js >=================================================================== >--- JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js (nonexistent) >+++ JSTests/stress/instance-of-on-poly-proto-opc-should-not-crash.js (working copy) >@@ -0,0 +1,28 @@ >+function makePolyProtoObject() { >+ function foo() { >+ class C { >+ constructor() { >+ this._field = 42; >+ this.hello = 33; >+ } >+ }; >+ return new C; >+ } >+ for (let i = 0; i < 15; ++i) >+ foo(); >+ return foo(); >+} >+ >+function foo(o, c) { >+ return o instanceof c; >+} >+noInline(foo); >+ >+class C { } >+ >+let o = makePolyProtoObject(); >+o.__proto__= new C; >+let x = {__proto__: o}; >+for (let i = 0; i < 1000; ++i) { >+ foo(x, C); >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 232558) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,20 @@ >+2018-06-06 Saam Barati <sbarati@apple.com> >+ >+ generateConditionsForInstanceOf needs to see if the object has a poly proto structure before assuming it has a constant prototype >+ https://bugs.webkit.org/show_bug.cgi?id=186363 >+ >+ Rubber-stamped by Filip Pizlo. >+ >+ The code was assuming that the object it was creating an OPC for always >+ had a non-poly-proto structure. However, this assumption was wrong. For >+ example, an object in the prototype chain could be poly proto. That type >+ of object graph would cause a crash in this code. This patch makes it so >+ that we fail to generate an ObjectPropertyConditionSet if we see a poly proto >+ object as we traverse the prototype chain. >+ >+ * bytecode/ObjectPropertyConditionSet.cpp: >+ (JSC::generateConditionsForInstanceOf): >+ > 2018-06-05 Brent Fulgham <bfulgham@apple.com> > > Adjust compile and runtime flags to match shippable state of features >Index: Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp >=================================================================== >--- Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp (revision 232558) >+++ Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp (working copy) >@@ -409,9 +409,13 @@ ObjectPropertyConditionSet generateCondi > didHit = true; > return true; > } >+ >+ Structure* structure = object->structure(vm); >+ if (structure->hasPolyProto()) >+ return false; > conditions.append( > ObjectPropertyCondition::hasPrototype( >- vm, owner, object, object->structure(vm)->storedPrototypeObject())); >+ vm, owner, object, structure->storedPrototypeObject())); > return true; > }); > if (result.isValid()) {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=342089">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186363
: 342089