[JSC] Do not construct Simple GetByIdStatus against self-custom-acces…

…sor case https://bugs.webkit.org/show_bug.cgi?id=162993 Reviewed by Filip Pizlo. We accidentally created a Simple GetByIdStatus against self-custom-accessor case: the object has own custom accessor property and get_by_id hits. If we returned such a result, the GetById will be turned to GetByOffset and it looks up incorrect thing like CustomGetterSetter object. We do not hit this bug before since maybe there is no object that has own custom-accessor and this custom-accessor does not raise an error. For example, "Node.prototype" has "firstChild" custom accessor. But since "Node.prototype" itself does not have Node::info(), "Node.prototype.firstChild" access always raises an error. I guess all the custom accessors follow this pattern. This bug is uncovered when testing DOMJIT (This bug causes crash and it can occur even if we disabled DOMJIT). But such a assumption is not guaranteed. In this patch, we fix this by not returning Simple GetById. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback): (JSC::GetByIdStatus::computeFor): Canonical link: https://commits.webkit.org/180897@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206844 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 6, 2016 · b320ebecf83ad1abccb5c21bd0f0e4019fa54686 · b320ebe
1 parent a29d790
commit b320ebecf83ad1abccb5c21bd0f0e4019fa54686
Showing with 31 additions and 4 deletions.

+21 −0 Source/JavaScriptCore/ChangeLog

+10 −4 Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,24 @@
+2016-10-05  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [JSC] Do not construct Simple GetByIdStatus against self-custom-accessor case
+        https://bugs.webkit.org/show_bug.cgi?id=162993
+
+        Reviewed by Filip Pizlo.
+
+        We accidentally created a Simple GetByIdStatus against self-custom-accessor case: the object has own custom accessor property and get_by_id hits.
+        If we returned such a result, the GetById will be turned to GetByOffset and it looks up incorrect thing like CustomGetterSetter object.
+        We do not hit this bug before since maybe there is no object that has own custom-accessor and this custom-accessor does not raise an error.
+        For example, "Node.prototype" has "firstChild" custom accessor. But since "Node.prototype" itself does not have Node::info(), "Node.prototype.firstChild"
+        access always raises an error. I guess all the custom accessors follow this pattern. This bug is uncovered when testing DOMJIT (This bug causes crash and
+        it can occur even if we disabled DOMJIT).
+
+        But such a assumption is not guaranteed. In this patch, we fix this by not returning Simple GetById.
+
+        * bytecode/GetByIdStatus.cpp:
+        (JSC::GetByIdStatus::computeFromLLInt):
+        (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
+        (JSC::GetByIdStatus::computeFor):
+
 2016-10-05  Saam Barati  <sbarati@apple.com>
 
         PCToCodeOriginMap builder should use labelIgnoringWatchpoints() inside the DFG

diff --git a/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp b/Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
@@ -97,10 +97,12 @@ GetByIdStatus GetByIdStatus::computeFromLLInt(CodeBlock* profiledBlock, unsigned
     if (structure->takesSlowPathInDFGForImpureProperty())
         return GetByIdStatus(NoInformation, false);
 
-    unsigned attributesIgnored;
-    PropertyOffset offset = structure->getConcurrently(uid, attributesIgnored);
+    unsigned attributes;
+    PropertyOffset offset = structure->getConcurrently(uid, attributes);
     if (!isValidOffset(offset))
         return GetByIdStatus(NoInformation, false);
+    if (attributes & CustomAccessor)
+        return GetByIdStatus(NoInformation, false);
 
     return GetByIdStatus(Simple, false, GetByIdVariant(StructureSet(structure), offset));
 }
@@ -176,11 +178,13 @@ GetByIdStatus GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback(
         Structure* structure = stubInfo->u.byIdSelf.baseObjectStructure.get();
         if (structure->takesSlowPathInDFGForImpureProperty())
             return GetByIdStatus(slowPathState, true);
-        unsigned attributesIgnored;
+        unsigned attributes;
         GetByIdVariant variant;
-        variant.m_offset = structure->getConcurrently(uid, attributesIgnored);
+        variant.m_offset = structure->getConcurrently(uid, attributes);
         if (!isValidOffset(variant.m_offset))
             return GetByIdStatus(slowPathState, true);
+        if (attributes & CustomAccessor)
+            return GetByIdStatus(slowPathState, true);
 
         variant.m_structureSet.add(structure);
         bool didAppend = result.appendVariant(variant);
@@ -343,6 +347,8 @@ GetByIdStatus GetByIdStatus::computeFor(const StructureSet& set, UniquedStringIm
             return GetByIdStatus(TakesSlowPath); // It's probably a prototype lookup. Give up on life for now, even though we could totally be way smarter about it.
         if (attributes & Accessor)
             return GetByIdStatus(MakesCalls); // We could be smarter here, like strength-reducing this to a Call.
+        if (attributes & CustomAccessor)
+            return GetByIdStatus(TakesSlowPath);
 
         if (!result.appendVariant(GetByIdVariant(structure, offset)))
             return GetByIdStatus(TakesSlowPath);