Bug 229951

Summary: IntrinsicGetterAccessCase implementation of __proto__ needs to handle get_by_id_with_this
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
patch
none
patch none

Lukas Bernhard
Reported 2021-09-06 02:27:01 PDT
During differential testing of webkit I found a sample triggering a miscomputation related to super.__proto__ field. Depending on optimization level the value unexpectedly becomes "null". The sample is invoked as: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js Changing --useFTLJIT=true to false changes the output. function main() { let v41; v37 = class V37 { constructor() { v41 = super.__proto__; } }; for (let v70 = 0; v70 < 100; v70++) { // decreasing the loop count to other values, e.g. 20 changes the behavior new v37(); } print(v41); // outputs [object Object] or null, depending on --useFTLJIT=true/false } noDFG(main); noFTL(main); main();
Attachments
patch (9.20 KB, patch)
2021-10-01 17:06 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
patch (10.61 KB, patch)
2021-10-01 23:56 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-09-06 02:27:13 PDT
<rdar://problem/82787527>
Saam Barati
Comment 2 2021-10-01 13:20:26 PDT
Our IntrinsicGetter IC is using the wrong structure
Saam Barati
Comment 3 2021-10-01 16:00:06 PDT
(In reply to Saam Barati from comment #2) > Our IntrinsicGetter IC is using the wrong structure This is wrong. It's using the wrong |this| for the "getter" access.
Saam Barati
Comment 4 2021-10-01 17:06:58 PDT
Created attachment 439938 [details] patch
Saam Barati
Comment 5 2021-10-01 23:56:11 PDT
Created attachment 439956 [details] patch
Yusuke Suzuki
Comment 6 2021-10-02 15:39:28 PDT
Comment on attachment 439956 [details] patch r=me
EWS
Comment 7 2021-10-04 12:58:13 PDT
Committed r283512 (242480@main): <https://commits.webkit.org/242480@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 439956 [details].
Note You need to log in before you can comment on or make changes to this bug.