2010-10-18 Oliver Hunt <oliver@apple.com>

Reviewed by Sam Weinig. Strict mode: JIT doesn't check for |this| being an immediate before dereferencing https://bugs.webkit.org/show_bug.cgi?id=47826 There's no guarantee that |this| will be a cell in a strict mode function, so don't claim that it is. * bytecode/CodeBlock.h: (JSC::CodeBlock::isKnownNotImmediate): 2010-10-18 Oliver Hunt <oliver@apple.com> Reviewed by Sam Weinig. Strict mode: JIT doesn't check for |this| being an immediate before dereferencing https://bugs.webkit.org/show_bug.cgi?id=47826 Add tests for accessing properties on |this| when |this| is not an object * fast/js/basic-strict-mode-expected.txt: * fast/js/script-tests/basic-strict-mode.js: (testThisDotAccess): (testThisBracketAccess): Canonical link: https://commits.webkit.org/60531@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@69965 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 18, 2010 · 90f0ceb0503ce3e2ad3e4959e1a857c07f536aba · 90f0ceb
1 parent 56750ae
commit 90f0ceb0503ce3e2ad3e4959e1a857c07f536aba
Showing 5 changed files with 61 additions and 1 deletion.
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2010-10-18  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Strict mode: JIT doesn't check for |this| being an immediate before dereferencing
+        https://bugs.webkit.org/show_bug.cgi?id=47826
+
+        There's no guarantee that |this| will be a cell in a strict mode function, so
+        don't claim that it is.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::isKnownNotImmediate):
+
 2010-10-18  Zoltan Herczeg  <zherczeg@webkit.org>
 
         Reviewed by Oliver Hunt.

diff --git a/JavaScriptCore/bytecode/CodeBlock.h b/JavaScriptCore/bytecode/CodeBlock.h
@@ -301,7 +301,7 @@ namespace JSC {
 
         inline bool isKnownNotImmediate(int index)
         {
-            if (index == m_thisRegister)
+            if (index == m_thisRegister && !m_isStrictMode)
                 return true;
 
             if (isConstantRegisterIndex(index))

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-10-18  Oliver Hunt  <oliver@apple.com>
+
+        Reviewed by Sam Weinig.
+
+        Strict mode: JIT doesn't check for |this| being an immediate before dereferencing
+        https://bugs.webkit.org/show_bug.cgi?id=47826
+
+        Add tests for accessing properties on |this| when |this| is not an object
+
+        * fast/js/basic-strict-mode-expected.txt:
+        * fast/js/script-tests/basic-strict-mode.js:
+        (testThisDotAccess):
+        (testThisBracketAccess):
+
 2010-10-18  Zoltan Herczeg  <zherczeg@webkit.org>
 
         Reviewed by Oliver Hunt.

diff --git a/LayoutTests/fast/js/basic-strict-mode-expected.txt b/LayoutTests/fast/js/basic-strict-mode-expected.txt
@@ -9,6 +9,18 @@ PASS testThis.call(true) is true
 PASS testThis.call(false) is false
 PASS testThis.call(undefined) is undefined
 PASS testThis.call('a string') is 'a string'
+PASS testThisDotAccess.call('a string') is 'a string'.length
+PASS testThisDotAccess.call(null) threw exception TypeError: Result of expression 'this' [null] is not an object..
+PASS testThisDotAccess.call(undefined) threw exception TypeError: Result of expression 'this' [undefined] is not an object..
+PASS testThisDotAccess.call(true) is undefined.
+PASS testThisDotAccess.call(false) is undefined.
+PASS testThisDotAccess.call(1) is undefined.
+PASS testThisBracketAccess.call('a string', 'length') is 'a string'.length
+PASS testThisBracketAccess.call(null, 'length') threw exception TypeError: Result of expression 'this' [null] is not an object..
+PASS testThisBracketAccess.call(undefined, 'length') threw exception TypeError: Result of expression 'this' [undefined] is not an object..
+PASS testThisBracketAccess.call(true, 'length') is undefined.
+PASS testThisBracketAccess.call(false, 'length') is undefined.
+PASS testThisBracketAccess.call(1, 'length') is undefined.
 PASS testGlobalAccess() is null
 PASS (function eval(){'use strict';}) threw exception SyntaxError: Parse error.
 PASS (function (eval){'use strict';}) threw exception SyntaxError: Parse error.

diff --git a/LayoutTests/fast/js/script-tests/basic-strict-mode.js b/LayoutTests/fast/js/script-tests/basic-strict-mode.js
@@ -5,6 +5,14 @@ function testThis() {
     "use strict";
     return this;
 }
+function testThisDotAccess() {
+    "use strict";
+    return this.length;
+}
+function testThisBracketAccess(prop) {
+    "use strict";
+    return this[prop];
+}
 function testGlobalAccess() {
     return testThis();
 }
@@ -14,6 +22,19 @@ shouldBe("testThis.call(true)", "true");
 shouldBe("testThis.call(false)", "false");
 shouldBe("testThis.call(undefined)", "undefined");
 shouldBe("testThis.call('a string')", "'a string'");
+shouldBe("testThisDotAccess.call('a string')", "'a string'.length");
+shouldThrow("testThisDotAccess.call(null)");
+shouldThrow("testThisDotAccess.call(undefined)");
+shouldBeUndefined("testThisDotAccess.call(true)");
+shouldBeUndefined("testThisDotAccess.call(false)");
+shouldBeUndefined("testThisDotAccess.call(1)");
+shouldBe("testThisBracketAccess.call('a string', 'length')", "'a string'.length");
+shouldThrow("testThisBracketAccess.call(null, 'length')");
+shouldThrow("testThisBracketAccess.call(undefined, 'length')");
+shouldBeUndefined("testThisBracketAccess.call(true, 'length')");
+shouldBeUndefined("testThisBracketAccess.call(false, 'length')");
+shouldBeUndefined("testThisBracketAccess.call(1, 'length')");
+
 
 shouldBe("testGlobalAccess()", "null");