Bug 119830

Summary: Assigning to a readonly global results in DFG byte code parse failure
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch fpizlo: review+

Oliver Hunt
Reported 2013-08-14 17:57:52 PDT
JSC fails to compile for (;;) { try { eval("NaN = 0"); } catch(e) {} } Due to a parse failure of Dynamic put
Attachments
Patch (5.46 KB, patch)
2013-08-15 12:39 PDT, Oliver Hunt 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2013-08-15 12:39:00 PDT
Created attachment 208838 [details] Patch
Filip Pizlo
Comment 2 2013-08-15 12:41:07 PDT
Comment on attachment 208838 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208838&action=review > Source/JavaScriptCore/dfg/DFGCapabilities.cpp:178 > + // If we're writing to a readonly property we emit a Dynamic put that > + // the DFG can't currently handle. Really?
Filip Pizlo
Comment 3 2013-08-15 12:41:43 PDT
Comment on attachment 208838 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208838&action=review >> Source/JavaScriptCore/dfg/DFGCapabilities.cpp:178 >> + // the DFG can't currently handle. > > Really? Oh, yeah, really.
Oliver Hunt
Comment 4 2013-08-15 12:43:11 PDT
Committed r154120: <http://trac.webkit.org/changeset/154120>
Filip Pizlo
Comment 5 2013-08-15 14:51:34 PDT
Comment on attachment 208838 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208838&action=review > Source/JavaScriptCore/dfg/DFGCapabilities.cpp:186 > - ResolveType resolveType = static_cast<ResolveType>(pc[3].u.operand); > + ResolveType resolveType = ResolveModeAndType(pc[4].u.operand).type(); Why? It appears that the DFG bytecodeparser and the bytecompiler both put the type in 3, not 4.
Note You need to log in before you can comment on or make changes to this bug.