Bug 145421

Summary: LazyNode comparison can return incorrect results when comparing an empty value
Product: WebKit Reporter: Basile Clement <basile_clement>
Component: New BugsAssignee: Basile Clement <basile_clement>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, fpizlo, ggaren
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch ggaren: review+

Basile Clement
Reported 2015-05-27 16:29:23 PDT
LazyNode comparison can return incorrect results when comparing an empty value
Attachments
Patch (1.96 KB, patch)
2015-05-27 16:36 PDT, Basile Clement 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Basile Clement
Comment 1 2015-05-27 16:36:32 PDT
Created attachment 253813 [details] Patch
Geoffrey Garen
Comment 2 2015-05-27 16:44:46 PDT
Comment on attachment 253813 [details] Patch r=me
Basile Clement
Comment 3 2015-05-27 16:47:55 PDT
Committed r184927: <http://trac.webkit.org/changeset/184927>
Darin Adler
Comment 4 2015-05-28 11:49:43 PDT
Did this bug have a symptom? Can we make a regression test?
Basile Clement
Comment 5 2015-05-28 12:12:06 PDT
(In reply to comment #4) > Did this bug have a symptom? Can we make a regression test? I don't think there is a code path that can trigger this bug in ToT. LazyNode has been introduced recently (http://trac.webkit.org/changeset/184776), and as far as I know, the only place where we are comparing them is when comparing the indexes of HeapLocations, and then only after we ensured the kind/heap/base are equal. As the heap + kind of a HeapLocation determine whether is has an index or not, the comparison of LazyNodes won't be reached in the case where only one is non-null.
Note You need to log in before you can comment on or make changes to this bug.