Bug 145421 - LazyNode comparison can return incorrect results when comparing an empty value
Summary: LazyNode comparison can return incorrect results when comparing an empty value
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Basile Clement
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-27 16:29 PDT by Basile Clement
Modified: 2015-05-28 12:12 PDT (History)
3 users (show)

See Also:

Attachments
Patch (1.96 KB, patch)
2015-05-27 16:36 PDT, Basile Clement 		ggaren: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Basile Clement 2015-05-27 16:29:23 PDT 
LazyNode comparison can return incorrect results when comparing an empty value
Comment 1 Basile Clement 2015-05-27 16:36:32 PDT 
Created attachment 253813 [details]
Patch
Comment 2 Geoffrey Garen 2015-05-27 16:44:46 PDT 
Comment on attachment 253813 [details]
Patch

r=me
Comment 3 Basile Clement 2015-05-27 16:47:55 PDT 
Committed r184927: <http://trac.webkit.org/changeset/184927>
Comment 4 Darin Adler 2015-05-28 11:49:43 PDT 
Did this bug have a symptom? Can we make a regression test?
Comment 5 Basile Clement 2015-05-28 12:12:06 PDT 
(In reply to comment #4)
> Did this bug have a symptom? Can we make a regression test?

I don't think there is a code path that can trigger this bug in ToT.

LazyNode has been introduced recently (http://trac.webkit.org/changeset/184776), and as far as I know, the only place where we are comparing them is when comparing the indexes of HeapLocations, and then only after we ensured the kind/heap/base are equal.
As the heap + kind of a HeapLocation determine whether is has an index or not, the comparison of LazyNodes won't be reached in the case where only one is non-null.