LazyNode comparison can return incorrect results when comparing an em…

…pty value https://bugs.webkit.org/show_bug.cgi?id=145421 Reviewed by Geoffrey Garen. When comparing a LazyNode to another, we compare the value pointers if we have one, and otherwise compare the nodes. We should be comparing value pointers if the other LazyNode has one as well, otherwise we risk an incoherency when we are a empty LazyNode being compared to a FrozenValue without node. Note that this is not a problem in any other case because if we don't have a FrozenValue and we are not an empty LazyNode, we are a non-constant node, and comparing the node pointers is correct. * dfg/DFGLazyNode.h: (JSC::DFG::LazyNode::operator==): Canonical link: https://commits.webkit.org/163436@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · May 27, 2015 · bcb83fa · bcb83fa
1 parent 4d89cfb
commit bcb83fa
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 3 deletions.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,23 @@
+2015-05-27  Basile Clement  <basile_clement@apple.com>
+
+        LazyNode comparison can return incorrect results when comparing an empty value
+        https://bugs.webkit.org/show_bug.cgi?id=145421
+
+        Reviewed by Geoffrey Garen.
+
+        When comparing a LazyNode to another, we compare the value pointers if
+        we have one, and otherwise compare the nodes.
+        We should be comparing value pointers if the other LazyNode has one as
+        well, otherwise we risk an incoherency when we are a empty LazyNode
+        being compared to a FrozenValue without node.
+
+        Note that this is not a problem in any other case because if we don't
+        have a FrozenValue and we are not an empty LazyNode, we are a
+        non-constant node, and comparing the node pointers is correct.
+
+        * dfg/DFGLazyNode.h:
+        (JSC::DFG::LazyNode::operator==):
+
 2015-05-27  Geoffrey Garen  <ggaren@apple.com>
 
         REGRESSION: These sorting idioms used by Peacekeeper and Browsermark are ~20X slower

diff --git a/Source/JavaScriptCore/dfg/DFGLazyNode.h b/Source/JavaScriptCore/dfg/DFGLazyNode.h
@@ -34,8 +34,6 @@
 
 namespace JSC { namespace DFG {
 
-
-
 class LazyNode {
 public:
     static const size_t jsConstantTag = 0;
@@ -119,7 +117,7 @@ class LazyNode {
 
     bool operator==(const LazyNode& other) const
     {
-        if (asValue())
+        if (asValue() || other.asValue())
             return m_value == other.m_value;
         return m_node == other.m_node;
     }