Bug 145421

Summary:

LazyNode comparison can return incorrect results when comparing an empty value

Product:

WebKit

Reporter:

Basile Clement <basile_clement>

Component:

New Bugs

Assignee:

Basile Clement <basile_clement>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, fpizlo, ggaren

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	ggaren: review+

Description Basile Clement 2015-05-27 16:29:23 PDT

LazyNode comparison can return incorrect results when comparing an empty value

Comment 1 Basile Clement 2015-05-27 16:36:32 PDT

Created attachment 253813 [details]
Patch

Comment 2 Geoffrey Garen 2015-05-27 16:44:46 PDT

Comment on attachment 253813 [details]
Patch

r=me

Comment 3 Basile Clement 2015-05-27 16:47:55 PDT

Committed r184927: <http://trac.webkit.org/changeset/184927>

Comment 4 Darin Adler 2015-05-28 11:49:43 PDT

Did this bug have a symptom? Can we make a regression test?

Comment 5 Basile Clement 2015-05-28 12:12:06 PDT

(In reply to comment #4)
> Did this bug have a symptom? Can we make a regression test?

I don't think there is a code path that can trigger this bug in ToT.

LazyNode has been introduced recently (http://trac.webkit.org/changeset/184776), and as far as I know, the only place where we are comparing them is when comparing the indexes of HeapLocations, and then only after we ensured the kind/heap/base are equal.
As the heap + kind of a HeapLocation determine whether is has an index or not, the comparison of LazyNodes won't be reached in the case where only one is non-null.