WebKit Bugzilla
Attachment 343729 Details for
Bug 187106
: Add logging to try to diagnose where we get a null structure.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-187106-20180627110957.patch (text/plain), 3.64 KB, created by
Keith Miller
on 2018-06-27 11:09:59 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-06-27 11:09:59 PDT
Size:
3.64 KB
patch
obsolete
>Subversion Revision: 233121 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 9d9006aaa46ee62f214cb0e777611712f2af47ea..786f5f89551a03917625763dd910f6ff8eabda20 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,18 @@ >+2018-06-27 Keith Miller <keith_miller@apple.com> >+ >+ Add logging to try to diagnose where we get a null structure. >+ https://bugs.webkit.org/show_bug.cgi?id=187106 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Add a logging to JSObject::toPrimitive to help diagnose a nullptr >+ structure crash. >+ >+ * runtime/JSObject.cpp: >+ (JSC::callToPrimitiveFunction): >+ * runtime/JSObject.h: >+ (JSC::JSObject::getPropertySlot): >+ > 2018-06-22 Keith Miller <keith_miller@apple.com> > > unshift should zero unused property storage >diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp >index 52dc8868745a09793355e2d2d038de4fa524b6dd..053dc75a53980022c58bce7b8a1fc2b03cd00588 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.cpp >+++ b/Source/JavaScriptCore/runtime/JSObject.cpp >@@ -2010,7 +2010,11 @@ static ALWAYS_INLINE JSValue callToPrimitiveFunction(ExecState* exec, const JSOb > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); > >- JSValue function = object->get(exec, propertyName); >+ PropertySlot slot(object, PropertySlot::InternalMethodType::Get); >+ constexpr bool debugNullStructure = mode == TypeHintMode::TakesHint; >+ const_cast<JSObject*>(object)->getPropertySlot<debugNullStructure>(exec, propertyName, slot); >+ RETURN_IF_EXCEPTION(scope, scope.exception()); >+ JSValue function = slot.getValue(exec, propertyName); > RETURN_IF_EXCEPTION(scope, scope.exception()); > if (function.isUndefinedOrNull() && mode == TypeHintMode::TakesHint) > return JSValue(); >diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h >index 819346c765eb5043bb8fd7fdcc51cd2985dd1a5c..64fb18c42761f58444c3d489cc99e068cce22da2 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.h >+++ b/Source/JavaScriptCore/runtime/JSObject.h >@@ -167,6 +167,7 @@ public: > JSValue get(ExecState*, PropertyName) const; > JSValue get(ExecState*, unsigned propertyName) const; > >+ template<bool checkNullStructure = false> > bool getPropertySlot(ExecState*, PropertyName, PropertySlot&); > bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&); > template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, CallbackWhenNoException) const; >@@ -1389,6 +1390,7 @@ ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, ExecState* exe > > // It may seem crazy to inline a function this large but it makes a big difference > // since this is function very hot in variable lookup >+template<bool checkNullStructure> > ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot) > { > VM& vm = exec->vm(); >@@ -1408,6 +1410,8 @@ ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName prope > } > ASSERT(object->type() != ProxyObjectType); > Structure* structure = structureIDTable.get(object->structureID()); >+ if (checkNullStructure && UNLIKELY(!structure)) >+ CRASH_WITH_INFO(object->type(), object->structureID(), structureIDTable.size()); > if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot)) > return true; > // FIXME: This doesn't look like it's following the specification:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343729">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187106
:
343729
|
343732
|
343740
|
343748