WebKit Bugzilla
Attachment 343748 Details for
Bug 187106
: Add logging to try to diagnose where we get a null structure.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for landing
bug-187106-20180627133259.patch (text/plain), 3.91 KB, created by
Keith Miller
on 2018-06-27 13:33:00 PDT
(
hide
)
Description:
Patch for landing
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2018-06-27 13:33:00 PDT
Size:
3.91 KB
patch
obsolete
>Subversion Revision: 233121 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index 9d9006aaa46ee62f214cb0e777611712f2af47ea..dc0576039adf0417b0e149f518cdb08d22dff073 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,20 @@ >+2018-06-27 Keith Miller <keith_miller@apple.com> >+ >+ Add logging to try to diagnose where we get a null structure. >+ https://bugs.webkit.org/show_bug.cgi?id=187106 >+ >+ Reviewed by Mark Lam. >+ >+ Add a logging to JSObject::toPrimitive to help diagnose a nullptr >+ structure crash. >+ >+ This code should be removed when we fix <rdar://problem/33451840> >+ >+ * runtime/JSObject.cpp: >+ (JSC::callToPrimitiveFunction): >+ * runtime/JSObject.h: >+ (JSC::JSObject::getPropertySlot): >+ > 2018-06-22 Keith Miller <keith_miller@apple.com> > > unshift should zero unused property storage >diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp >index 52dc8868745a09793355e2d2d038de4fa524b6dd..5b5503beaa67f05515664983ae25506698ca6ea2 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.cpp >+++ b/Source/JavaScriptCore/runtime/JSObject.cpp >@@ -2010,7 +2010,13 @@ static ALWAYS_INLINE JSValue callToPrimitiveFunction(ExecState* exec, const JSOb > VM& vm = exec->vm(); > auto scope = DECLARE_THROW_SCOPE(vm); > >- JSValue function = object->get(exec, propertyName); >+ PropertySlot slot(object, PropertySlot::InternalMethodType::Get); >+ // FIXME: Remove this when we have fixed: rdar://problem/33451840 >+ // https://bugs.webkit.org/show_bug.cgi?id=187109. >+ constexpr bool debugNullStructure = mode == TypeHintMode::TakesHint; >+ bool hasProperty = const_cast<JSObject*>(object)->getPropertySlot<debugNullStructure>(exec, propertyName, slot); >+ RETURN_IF_EXCEPTION(scope, scope.exception()); >+ JSValue function = hasProperty ? slot.getValue(exec, propertyName) : jsUndefined(); > RETURN_IF_EXCEPTION(scope, scope.exception()); > if (function.isUndefinedOrNull() && mode == TypeHintMode::TakesHint) > return JSValue(); >diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h >index 819346c765eb5043bb8fd7fdcc51cd2985dd1a5c..97c61ccdedcd2b51f823e34bb8d1ab35608d4178 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.h >+++ b/Source/JavaScriptCore/runtime/JSObject.h >@@ -167,6 +167,7 @@ public: > JSValue get(ExecState*, PropertyName) const; > JSValue get(ExecState*, unsigned propertyName) const; > >+ template<bool checkNullStructure = false> > bool getPropertySlot(ExecState*, PropertyName, PropertySlot&); > bool getPropertySlot(ExecState*, unsigned propertyName, PropertySlot&); > template<typename CallbackWhenNoException> typename std::result_of<CallbackWhenNoException(bool, PropertySlot&)>::type getPropertySlot(ExecState*, PropertyName, CallbackWhenNoException) const; >@@ -1389,6 +1390,7 @@ ALWAYS_INLINE bool JSObject::getOwnPropertySlot(JSObject* object, ExecState* exe > > // It may seem crazy to inline a function this large but it makes a big difference > // since this is function very hot in variable lookup >+template<bool checkNullStructure> > ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName propertyName, PropertySlot& slot) > { > VM& vm = exec->vm(); >@@ -1408,6 +1410,10 @@ ALWAYS_INLINE bool JSObject::getPropertySlot(ExecState* exec, PropertyName prope > } > ASSERT(object->type() != ProxyObjectType); > Structure* structure = structureIDTable.get(object->structureID()); >+#if USE(JSVALUE64) >+ if (checkNullStructure && UNLIKELY(!structure)) >+ CRASH_WITH_INFO(object->type(), object->structureID(), structureIDTable.size()); >+#endif > if (object->getOwnNonIndexPropertySlot(vm, structure, propertyName, slot)) > return true; > // FIXME: This doesn't look like it's following the specification:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343748">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187106
:
343729
|
343732
|
343740
| 343748