Bug 152912

Summary: Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
Product: WebKit Reporter: Keith Miller <keith_miller>
Component: New BugsAssignee: Keith Miller <keith_miller>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Keith Miller
Reported 2016-01-08 11:40:35 PST
Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
Attachments
Patch (2.75 KB, patch)
2016-01-21 15:14 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (3.28 KB, patch)
2016-01-21 16:14 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch (3.28 KB, patch)
2016-01-21 16:16 PST, Keith Miller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2016-01-21 15:14:05 PST
Created attachment 269501 [details] Patch
Keith Miller
Comment 2 2016-01-21 15:15:57 PST
Note that this patch does not fix https://bugs.webkit.org/show_bug.cgi?id=134641, which is still a race and is not so awesome.
Mark Lam
Comment 3 2016-01-21 15:25:00 PST
Comment on attachment 269501 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=269501&action=review > Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js:5 > +load("resources/standalone-pre.js"); > + > +noInline(); > + > +for (i = 0; i < 100000; i++); How does this test the above issue?
Keith Miller
Comment 4 2016-01-21 16:14:25 PST
Created attachment 269511 [details] Patch
Keith Miller
Comment 5 2016-01-21 16:15:17 PST
(In reply to comment #3) > Comment on attachment 269501 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=269501&action=review > > > Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js:5 > > +load("resources/standalone-pre.js"); > > + > > +noInline(); > > + > > +for (i = 0; i < 100000; i++); > > How does this test the above issue? Added a comment that should hopefully clarify what I knew about the cause of the bug to the test.
Keith Miller
Comment 6 2016-01-21 16:16:09 PST
Created attachment 269512 [details] Patch
Mark Lam
Comment 7 2016-01-22 10:39:08 PST
Comment on attachment 269512 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=269512&action=review r=me > Source/JavaScriptCore/tests/stress/global-property-into-variable-get-from-scope.js:7 > +// at that point and we would attempt to access the value at an invalid offset. nit: Maybe add a "See https://bugs.webkit.org/show_bug.cgi?id=152912." here?
WebKit Commit Bot
Comment 8 2016-01-22 11:31:16 PST
Comment on attachment 269512 [details] Patch Clearing flags on attachment: 269512 Committed r195462: <http://trac.webkit.org/changeset/195462>
WebKit Commit Bot
Comment 9 2016-01-22 11:31:20 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.