Ignore:
Timestamp:
Jan 22, 2016, 11:31:06 AM (10 years ago)
Author:
[email protected]
Message:

Equivalence PropertyCondition needs to check the offset it uses to load the value from is not invalidOffset
https://bugs.webkit.org/show_bug.cgi?id=152912

Reviewed by Mark Lam.

When checking the validity of an Equivalence PropertyCondition we do not check that the offset returned by
the structure of the object in the equivalence condition is valid. The offset might be wrong for many reasons.
The one we now test for is when the GlobalObject has a property that becomes a variable the property is deleted
thus the offset is now invalid.

  • bytecode/PropertyCondition.cpp:

(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):

  • tests/stress/global-property-into-variable-get-from-scope.js: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

    r192693 r195462  
    173173       
    174174        PropertyOffset currentOffset = structure->getConcurrently(uid());
     175        if (currentOffset == invalidOffset) {
     176            if (verbose) {
     177                dataLog(
     178                    "Invalid because the base no long appears to have ", uid(), " on its structure: ",
     179                        RawPointer(base), "\n");
     180            }
     181            return false;
     182        }
     183
    175184        JSValue currentValue = base->getDirect(currentOffset);
    176185        if (currentValue != requiredValue()) {
Note: See TracChangeset for help on using the changeset viewer.