[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

oliver at apple.com oliver at apple.com
Wed Apr 7 23:19:06 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 7dd6dec11bcc7d1a60d565cd628abed169c6bb48
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Tue Nov 3 06:49:42 2009 +0000

    REGRESSION (r48573): JSC may incorrectly cache chain lookups with a dictionary at the head of the chain
    https://bugs.webkit.org/show_bug.cgi?id=31045
    
    Reviewed by Gavin Barraclough.
    
    Add guards to prevent caching of prototype chain lookups with dictionaries at the
    head of the chain.  Also add a few tighter assertions to cached prototype lookups
    to catch this in future.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@50443 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index a1d7b17..2ae868b 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2009-11-02  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        REGRESSION (r48573): JSC may incorrectly cache chain lookups with a dictionary at the head of the chain
+        https://bugs.webkit.org/show_bug.cgi?id=31045
+
+        Add guards to prevent caching of prototype chain lookups with dictionaries at the
+        head of the chain.  Also add a few tighter assertions to cached prototype lookups
+        to catch this in future.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::tryCacheGetByID):
+        (JSC::Interpreter::privateExecute):
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCacheGetByID):
+
 2009-11-02  Laszlo Gombos  <laszlo.1.gombos at nokia.com>
 
         Reviewed by Darin Adler.
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index c77a0f1..db0edc4 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -1029,6 +1029,11 @@ NEVER_INLINE void Interpreter::tryCacheGetByID(CallFrame* callFrame, CodeBlock*
         return;
     }
 
+    if (structure->isDictionary()) {
+        vPC[0] = getOpcode(op_get_by_id_generic);
+        return;
+    }
+
     if (slot.slotBase() == structure->prototypeForLookup(callFrame)) {
         ASSERT(slot.slotBase().isObject());
 
@@ -1039,6 +1044,8 @@ NEVER_INLINE void Interpreter::tryCacheGetByID(CallFrame* callFrame, CodeBlock*
         if (baseObject->structure()->isDictionary())
             baseObject->setStructure(Structure::fromDictionaryTransition(baseObject->structure()));
 
+        ASSERT(!baseObject->structure()->isUncacheableDictionary());
+
         vPC[0] = getOpcode(op_get_by_id_proto);
         vPC[5] = baseObject->structure();
         vPC[6] = slot.cachedOffset();
@@ -2134,6 +2141,7 @@ JSValue Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registerFi
                     int offset = vPC[6].u.operand;
 
                     ASSERT(protoObject->get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == protoObject->getDirectOffset(offset));
+                    ASSERT(baseValue.get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == protoObject->getDirectOffset(offset));
                     callFrame->r(dst) = JSValue(protoObject->getDirectOffset(offset));
 
                     vPC += OPCODE_LENGTH(op_get_by_id_proto);
@@ -2189,6 +2197,7 @@ JSValue Interpreter::privateExecute(ExecutionFlag flag, RegisterFile* registerFi
                         int offset = vPC[7].u.operand;
 
                         ASSERT(baseObject->get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
+                        ASSERT(baseValue.get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
                         callFrame->r(dst) = JSValue(baseObject->getDirectOffset(offset));
 
                         vPC += OPCODE_LENGTH(op_get_by_id_chain);
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index c999618..7acd04c 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -758,6 +758,11 @@ NEVER_INLINE void JITThunks::tryCacheGetByID(CallFrame* callFrame, CodeBlock* co
         return;
     }
 
+    if (structure->isDictionary()) {
+        ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_get_by_id_generic));
+        return;
+    }
+
     if (slot.slotBase() == structure->prototypeForLookup(callFrame)) {
         ASSERT(slot.slotBase().isObject());
 
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 875a1b0..359dafb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2009-11-02  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        REGRESSION (r48573): JSC may incorrectly cache chain lookups with a dictionary at the head of the chain
+        https://bugs.webkit.org/show_bug.cgi?id=31045
+
+        Add tests for dictionary at the head of a prototype chain.
+
+        * fast/js/script-tests/dictionary-no-cache.js:
+        * fast/js/dictionary-no-cache-expected.txt:
+
 2009-11-02  Enrica Casucci  <enrica at apple.com>
 
         Reviewed by Adele Peterson and Dan Bernstein.
diff --git a/LayoutTests/fast/js/dictionary-no-cache-expected.txt b/LayoutTests/fast/js/dictionary-no-cache-expected.txt
index c58485b..a8d7e94 100644
--- a/LayoutTests/fast/js/dictionary-no-cache-expected.txt
+++ b/LayoutTests/fast/js/dictionary-no-cache-expected.txt
@@ -6,6 +6,10 @@ On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE
 PASS foundNewPrototypeProperty is true
 PASS foundRemovedPrototypeProperty is false
 PASS calledNewPrototypeSetter is true
+PASS getTestProperty(test4) is "on prototype"
+PASS getTestProperty(test4) is "on self"
+PASS getTestProperty(test5) is "on prototype's prototype"
+PASS getTestProperty(test5) is "on self"
 PASS successfullyParsed is true
 
 TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/dictionary-no-cache.js b/LayoutTests/fast/js/script-tests/dictionary-no-cache.js
index 8f788bb..dbb536e 100644
--- a/LayoutTests/fast/js/script-tests/dictionary-no-cache.js
+++ b/LayoutTests/fast/js/script-tests/dictionary-no-cache.js
@@ -60,4 +60,32 @@ var test4 = new Test();
 update(test4);
 shouldBeTrue('calledNewPrototypeSetter');
 
+var test4 = {__proto__:{prop:"on prototype"}};
+for (var i = 0; i < 200; i++)
+    test4[i]=[i];
+
+var test5 = {__proto__:{__proto__:{prop:"on prototype's prototype"}}};
+for (var i = 0; i < 200; i++)
+    test5[i]=[i];
+
+getTestProperty = function(o) {
+    return o.prop;
+}
+
+getTestProperty(test4);
+getTestProperty(test4);
+shouldBe("getTestProperty(test4)", '"on prototype"');
+test4.prop = "on self";
+shouldBe("getTestProperty(test4)", '"on self"');
+
+getTestProperty = function(o) {
+    return o.prop;
+}
+
+getTestProperty(test5);
+getTestProperty(test5);
+shouldBe("getTestProperty(test5)", '"on prototype\'s prototype"');
+test5.prop = "on self";
+shouldBe("getTestProperty(test5)", '"on self"');
+
 successfullyParsed = true;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list