Google Git
Sign in
webkit / WebKit / ec2fcee913234641ac2d8270fcdaef0f6d8a3da5^! / .
commitec2fcee913234641ac2d8270fcdaef0f6d8a3da5[log] [tgz]
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Dec 05 01:37:01 2019 +0000
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Thu Dec 05 01:37:01 2019 +0000
treeec3b63b3b72de07fa2b718e2ef1bb17e1fed6097
parenta4cdf099db3819e5d742036269f276c30254d43e [diff]
Fix a broken assertion in GetByStatus::computeForStubInfoWithoutExitSiteFeedback().
https://bugs.webkit.org/show_bug.cgi?id=204866

Reviewed by Saam Barati.

The assertion wrong assumes that access.offset() cannot be invalid unless the
access.type() is a Miss.  However, if the AccessCase is a Custom value or accessor,
the offset is always invalid.  This patch fixes this assertion.

* bytecode/AccessCase.h:
(JSC::AccessCase::isCustom const):
* bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@253136 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 6250ffd..50a3e97 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,19 @@
+2019-12-04  Mark Lam  <mark.lam@apple.com>
+
+        Fix a broken assertion in GetByStatus::computeForStubInfoWithoutExitSiteFeedback().
+        https://bugs.webkit.org/show_bug.cgi?id=204866
+
+        Reviewed by Saam Barati.
+
+        The assertion wrong assumes that access.offset() cannot be invalid unless the
+        access.type() is a Miss.  However, if the AccessCase is a Custom value or accessor,
+        the offset is always invalid.  This patch fixes this assertion.
+
+        * bytecode/AccessCase.h:
+        (JSC::AccessCase::isCustom const):
+        * bytecode/GetByStatus.cpp:
+        (JSC::GetByStatus::computeForStubInfoWithoutExitSiteFeedback):
+
 2019-12-04  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Unreviewed, rolling out r252416, vimeo does not work

diff --git a/Source/JavaScriptCore/bytecode/AccessCase.h b/Source/JavaScriptCore/bytecode/AccessCase.h
index 5d56e99..219d5ac 100644
--- a/Source/JavaScriptCore/bytecode/AccessCase.h
+++ b/Source/JavaScriptCore/bytecode/AccessCase.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -179,6 +179,19 @@
     // past the call.
     bool doesCalls(Vector<JSCell*>* cellsToMark = nullptr) const;
 
+    bool isCustom() const
+    {
+        switch (type()) {
+        case CustomValueGetter:
+        case CustomAccessorGetter:
+        case CustomValueSetter:
+        case CustomAccessorSetter:
+            return true;
+        default:
+            return false;
+        }
+    }
+
     bool isGetter() const
     {
         switch (type()) {

diff --git a/Source/JavaScriptCore/bytecode/GetByStatus.cpp b/Source/JavaScriptCore/bytecode/GetByStatus.cpp
index 182c490..2005576 100644
--- a/Source/JavaScriptCore/bytecode/GetByStatus.cpp
+++ b/Source/JavaScriptCore/bytecode/GetByStatus.cpp

@@ -292,7 +292,7 @@
                     return GetByStatus(JSC::slowVersion(summary), *stubInfo);
                 } }
 
-                ASSERT((AccessCase::Miss == access.type()) == (access.offset() == invalidOffset));
+                ASSERT((AccessCase::Miss == access.type() || access.isCustom()) == (access.offset() == invalidOffset));
                 GetByIdVariant variant(
                     trackIdentifiers == TrackIdentifiers::Yes ? access.identifier() : Box<Identifier>(nullptr), StructureSet(structure), complexGetStatus.offset(),
                     complexGetStatus.conditionSet(), WTFMove(callLinkStatus),