2010-05-03 Oliver Hunt <oliver@apple.com>
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 May 2010 22:18:59 +0000 (22:18 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 3 May 2010 22:18:59 +0000 (22:18 +0000)
        Reviewed by Maciej Stachowiak.

        Interpreter crashes due to incorrect refcounting of cached structures.
        https://bugs.webkit.org/show_bug.cgi?id=38491
        rdar://problem/7926160

        Make sure we ref/deref structures used for cached custom property getters

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::derefStructures):
        (JSC::CodeBlock::refStructures):
2010-05-03  Oliver Hunt  <oliver@apple.com>

        Reviewed by Maciej Stachowiak.

        Interpreter crashes due to incorrect refcounting of cached structures.
        https://bugs.webkit.org/show_bug.cgi?id=38491

        Add test for cached structure chains used for custom getters.

        * fast/js/pic/cached-named-property-getter.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@58705 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/bytecode/CodeBlock.cpp
LayoutTests/ChangeLog
LayoutTests/fast/js/pic/cached-named-property-getter.html

index 7adcac6..cb8048d 100644 (file)
@@ -1,3 +1,17 @@
+2010-05-03  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        Interpreter crashes due to incorrect refcounting of cached structures.
+        https://bugs.webkit.org/show_bug.cgi?id=38491
+        rdar://problem/7926160
+
+        Make sure we ref/deref structures used for cached custom property getters
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::derefStructures):
+        (JSC::CodeBlock::refStructures):
+
 2010-05-02  Laszlo Gombos  <laszlo.1.gombos@nokia.com>
 
         Reviewed by Eric Seidel.
index 8e77e12..c2d6dd0 100644 (file)
@@ -1366,12 +1366,12 @@ void CodeBlock::derefStructures(Instruction* vPC) const
         vPC[4].u.structure->deref();
         return;
     }
-    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_proto)) {
         vPC[4].u.structure->deref();
         vPC[5].u.structure->deref();
         return;
     }
-    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         vPC[4].u.structure->deref();
         vPC[5].u.structureChain->deref();
         return;
@@ -1394,7 +1394,9 @@ void CodeBlock::derefStructures(Instruction* vPC) const
     if ((vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto_list))
         || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_self_list))
         || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto_list))
-        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_self_list))) {
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_self_list))
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_proto_list))
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_self_list))) {
         PolymorphicAccessStructureList* polymorphicStructures = vPC[4].u.polymorphicStructures;
         polymorphicStructures->derefStructures(vPC[5].u.operand);
         delete polymorphicStructures;
@@ -1413,12 +1415,12 @@ void CodeBlock::refStructures(Instruction* vPC) const
         vPC[4].u.structure->ref();
         return;
     }
-    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_proto)) {
         vPC[4].u.structure->ref();
         vPC[5].u.structure->ref();
         return;
     }
-    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         vPC[4].u.structure->ref();
         vPC[5].u.structureChain->ref();
         return;
index d544dfa..8d51c68 100644 (file)
@@ -1,3 +1,14 @@
+2010-05-03  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Maciej Stachowiak.
+
+        Interpreter crashes due to incorrect refcounting of cached structures.
+        https://bugs.webkit.org/show_bug.cgi?id=38491
+
+        Add test for cached structure chains used for custom getters.
+
+        * fast/js/pic/cached-named-property-getter.html:
+
 2010-05-03  Abhishek Arya  <inferno@chromium.org>
 
         Reviewed by Adam Barth.
index ef6a87b..6aff806 100644 (file)
@@ -61,6 +61,14 @@ you'll see a series of PASS messages below.
     getterTest("testProtoChainGetter({__proto__: {__proto__: {count: 'FAIL', get length(){ return this.count; }}}, count: 7})", 7);
     getterTest("testProtoChainGetter({__proto__: {__proto__: testFunction3}, count: 'FAIL'})", 3);
     getterTest("testProtoChainGetter({__proto__: {__proto__: testFunction5}, count: 'FAIL'})", 5);
+    
+    function testCustomGetter(o) {
+        for (var i = 0; i < 10; i++)
+            o.ignoreCase;
+    }
+    var r=/a/;
+    testCustomGetter({__proto__: r});
+    testCustomGetter({__proto__: {__proto__: r}});
 
 })();
 </script>