Ignore:
Timestamp:
Jun 12, 2012, 2:15:43 PM (13 years ago)
Author:
[email protected]
Message:

REGRESSION (r119779): Javascript TypeError: 'undefined' is not an object
https://bugs.webkit.org/show_bug.cgi?id=88783
<rdar://problem/11640299>

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

If you don't keep alive the base of an object access over the various checks
you do for the prototype chain, you're going to have a bad time.

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleGetById):

LayoutTests:

Reviewed by Geoffrey Garen.

  • fast/js/dfg-proto-access-inline-osr-exit-expected.txt: Added.
  • fast/js/dfg-proto-access-inline-osr-exit.html: Added.
  • fast/js/script-tests/dfg-proto-access-inline-osr-exit.js: Added.

(foo):
(Thingy):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r119858 r120121  
    15631563    if (prediction == SpecNone)
    15641564        addToGraph(ForceOSRExit);
     1565   
     1566    NodeIndex originalBaseForBaselineJIT = base;
    15651567               
    15661568    addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(getByIdStatus.structureSet())), base);
     
    15801582        useInlineStorage = getByIdStatus.structureSet().allAreUsingInlinePropertyStorage();
    15811583   
     1584    // Unless we want bugs like https://bugs.webkit.org/show_bug.cgi?id=88783, we need to
     1585    // ensure that the base of the original get_by_id is kept alive until we're done with
     1586    // all of the speculations. We only insert the Phantom if there had been a CheckStructure
     1587    // on something other than the base following the CheckStructure on base, or if the
     1588    // access was compiled to a WeakJSConstant specific value, in which case we might not
     1589    // have any explicit use of the base at all.
     1590    if (getByIdStatus.specificValue() || originalBaseForBaselineJIT != base)
     1591        addToGraph(Phantom, originalBaseForBaselineJIT);
     1592   
    15821593    if (getByIdStatus.specificValue()) {
    15831594        ASSERT(getByIdStatus.specificValue().isCell());
     1595       
    15841596        set(destinationOperand,
    15851597            addToGraph(WeakJSConstant, OpInfo(getByIdStatus.specificValue().asCell())));
Note: See TracChangeset for help on using the changeset viewer.