Bug 229951

Summary: IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
patch
none
patch none

Description Lukas Bernhard 2021-09-06 02:27:01 PDT 
During differential testing of webkit I found a sample triggering a miscomputation related to super.__proto__ field. Depending on optimization level the value unexpectedly becomes "null".

The sample is invoked as:
WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js

Changing --useFTLJIT=true to false changes the output.

function main() {
    let v41;

    v37 = class V37 {
        constructor() {
            v41 = super.__proto__;
        }
    };

    for (let v70 = 0; v70 < 100; v70++) {
        // decreasing the loop count to other values, e.g. 20 changes the behavior
        new v37();
    }

    print(v41); // outputs [object Object] or null, depending on --useFTLJIT=true/false
}
noDFG(main);
noFTL(main);
main();
Comment 1 Radar WebKit Bug Importer 2021-09-06 02:27:13 PDT 
<rdar://problem/82787527>
Comment 2 Saam Barati 2021-10-01 13:20:26 PDT 
Our IntrinsicGetter IC is using the wrong structure
Comment 3 Saam Barati 2021-10-01 16:00:06 PDT 
(In reply to Saam Barati from comment #2)
> Our IntrinsicGetter IC is using the wrong structure

This is wrong. It's using the wrong |this| for the "getter" access.
Comment 4 Saam Barati 2021-10-01 17:06:58 PDT 
Created attachment 439938 [details]
patch
Comment 5 Saam Barati 2021-10-01 23:56:11 PDT 
Created attachment 439956 [details]
patch
Comment 6 Yusuke Suzuki 2021-10-02 15:39:28 PDT 
Comment on attachment 439956 [details]
patch

r=me
Comment 7 EWS 2021-10-04 12:58:13 PDT 
Committed r283512 (242480@main): <https://commits.webkit.org/242480@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439956 [details].