[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
oliver at apple.com
oliver at apple.com
Thu Oct 29 20:31:20 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 7431692b42b2548852caab2aad10fbd55e1f48d7
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Sep 21 18:59:56 2009 +0000
REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org
https://bugs.webkit.org/show_bug.cgi?id=29599
Reviewed by Geoff Garen
It is unsafe to attempt to cache new property transitions on
dictionaries of any type.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48590 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 2f30dec..1766555 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,5 +1,20 @@
2009-09-21 Oliver Hunt <oliver at apple.com>
+ Reviewed by Geoff Garen.
+
+ REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org
+ https://bugs.webkit.org/show_bug.cgi?id=29599
+
+ It is unsafe to attempt to cache new property transitions on
+ dictionaries of any type.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::tryCachePutByID):
+ * jit/JITStubs.cpp:
+ (JSC::JITThunks::tryCachePutByID):
+
+2009-09-21 Oliver Hunt <oliver at apple.com>
+
RS=Maciej Stachowiak.
Re-land SNES fix with corrected assertion.
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index 624832c..8a8fb3c 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -988,6 +988,10 @@ NEVER_INLINE void Interpreter::tryCachePutByID(CallFrame* callFrame, CodeBlock*
// Structure transition, cache transition info
if (slot.type() == PutPropertySlot::NewProperty) {
+ if (structure->isDictionary()) {
+ vPC[0] = getOpcode(op_put_by_id_generic);
+ return;
+ }
vPC[0] = getOpcode(op_put_by_id_transition);
vPC[4] = structure->previousID();
vPC[5] = structure;
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index f197526..055a536 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -695,7 +695,7 @@ NEVER_INLINE void JITThunks::tryCachePutByID(CallFrame* callFrame, CodeBlock* co
// Structure transition, cache transition info
if (slot.type() == PutPropertySlot::NewProperty) {
StructureChain* prototypeChain = structure->prototypeChain(callFrame);
- if (!prototypeChain->isCacheable()) {
+ if (!prototypeChain->isCacheable() || structure->isDictionary()) {
ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_put_by_id_generic));
return;
}
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 107f00b..7c09293 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2009-09-21 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Geoff Garen.
+
+ REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org
+ https://bugs.webkit.org/show_bug.cgi?id=29599
+
+ Add test case for preventing property addition transition caching on dictionaries.
+
+ * fast/js/resources/transition-cache-dictionary-crash.js: Added.
+ (f):
+ * fast/js/transition-cache-dictionary-crash-expected.txt: Added.
+ * fast/js/transition-cache-dictionary-crash.html: Added.
+
2009-09-20 Adam Barth <abarth at webkit.org>
Reviewed by Maciej Stachowiak.
diff --git a/LayoutTests/fast/js/resources/transition-cache-dictionary-crash.js b/LayoutTests/fast/js/resources/transition-cache-dictionary-crash.js
new file mode 100644
index 0000000..e83bce8
--- /dev/null
+++ b/LayoutTests/fast/js/resources/transition-cache-dictionary-crash.js
@@ -0,0 +1,19 @@
+description("Test to ensure we don't attempt to cache new property transitions on dictionary. Passes if you don't crash.");
+
+var cacheableDictionary = {};
+for (var i = 0; i < 500; i++)
+ cacheableDictionary["a" + i] = i;
+
+function f(o) {
+ o.crash = "doom!";
+}
+f({});
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+f(cacheableDictionary);
+successfullyParsed = true;
diff --git a/LayoutTests/fast/js/transition-cache-dictionary-crash-expected.txt b/LayoutTests/fast/js/transition-cache-dictionary-crash-expected.txt
new file mode 100644
index 0000000..3f65917
--- /dev/null
+++ b/LayoutTests/fast/js/transition-cache-dictionary-crash-expected.txt
@@ -0,0 +1,9 @@
+Test to ensure we don't attempt to cache new property transitions on dictionary. Passes if you don't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/transition-cache-dictionary-crash.html b/LayoutTests/fast/js/transition-cache-dictionary-crash.html
new file mode 100644
index 0000000..d2293fa
--- /dev/null
+++ b/LayoutTests/fast/js/transition-cache-dictionary-crash.html
@@ -0,0 +1,13 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<link rel="stylesheet" href="resources/js-test-style.css">
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<p id="description"></p>
+<div id="console"></div>
+<script src="resources/transition-cache-dictionary-crash.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list