Google Git
Sign in
webkit / WebKit / 672029634f2748a0bf768eb4ebc6a9adb9bae514^! / . / Source / JavaScriptCore / bytecompiler / NodesCodegen.cpp
commit672029634f2748a0bf768eb4ebc6a9adb9bae514[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed May 10 17:00:22 2017 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed May 10 17:00:22 2017 +0000
treefab5edadee3d16d626f91b9eea19f92af5a0d08a
parentdc436c9b9175caa9b3edb003d2631fa862c5f1cc [diff] [blame]
Null pointer dereference in WTF::RefPtr<WTF::StringImpl>::operator!() under slow_path_get_direct_pname
https://bugs.webkit.org/show_bug.cgi?id=171801

Reviewed by Michael Saboff.
        
JSTests:

These tests used to crash. The prefix and postfix tests cover different paths, except
postfix-ignored goes down the same path as prefix due to an optimization.

* stress/for-in-postfix-ignored-index.js: Added.
(foo):
* stress/for-in-postfix-index.js: Added.
(foo):
* stress/for-in-prefix-index.js: Added.
(foo):

Source/JavaScriptCore:

This was a goofy oversight. The for-in optimization relies on the bytecode generator
to detect when the loop's index variable gets mutated. We forgot to have the hooks for
detecting this in prefix and postfix operations (++i and i++).

* bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitResolve):
(JSC::PrefixNode::emitResolve):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@216593 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
index f3e5557..6ad5794 100644
--- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
+++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -1412,6 +1412,7 @@
             generator.emitReadOnlyExceptionIfNeeded(var);
             localReg = generator.emitMove(generator.tempDestination(dst), local);
         }
+        generator.invalidateForInContextForLocal(local);
         RefPtr<RegisterID> oldValue = emitPostIncOrDec(generator, generator.finalDestination(dst), localReg.get(), m_operator);
         generator.emitProfileType(localReg.get(), var, divotStart(), divotEnd());
         return oldValue.get();
@@ -1624,6 +1625,7 @@
             generator.emitReadOnlyExceptionIfNeeded(var);
             localReg = generator.emitMove(generator.tempDestination(dst), localReg.get());
         } else if (generator.vm()->typeProfiler()) {
+            generator.invalidateForInContextForLocal(local);
             RefPtr<RegisterID> tempDst = generator.tempDestination(dst);
             generator.emitMove(tempDst.get(), localReg.get());
             emitIncOrDec(generator, tempDst.get(), m_operator);
@@ -1631,6 +1633,7 @@
             generator.emitProfileType(localReg.get(), var, divotStart(), divotEnd());
             return generator.moveToDestinationIfNeeded(dst, tempDst.get());
         }
+        generator.invalidateForInContextForLocal(local);
         emitIncOrDec(generator, localReg.get(), m_operator);
         return generator.moveToDestinationIfNeeded(dst, localReg.get());
     }