Title: [200980] trunk/Source/_javascript_Core
- Revision
- 200980
- Author
- sbar...@apple.com
- Date
- 2016-05-16 16:27:27 -0700 (Mon, 16 May 2016)
Log Message
TypeSet/StructureShape have a flawed sense of JS prototype chains
https://bugs.webkit.org/show_bug.cgi?id=157760
Reviewed by Joseph Pecoraro.
There was an assumption that we would bottom out in "Object". This is
not true for many reasons. JS objects may not end in Object.prototype.
Also, our mechanism of grabbing an Object's class name may also not
bottom out in "Object". We were seeing this in the JS objects we use
in the InjectedScriptSource.js inspector script.
* runtime/TypeSet.cpp:
(JSC::StructureShape::leastCommonAncestor):
* tests/typeProfiler/weird-prototype-chain.js: Added.
(wrapper.foo):
(wrapper.let.o2):
(wrapper):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (200979 => 200980)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-16 23:21:32 UTC (rev 200979)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-16 23:27:27 UTC (rev 200980)
@@ -1,3 +1,23 @@
+2016-05-16 Saam barati <sbar...@apple.com>
+
+ TypeSet/StructureShape have a flawed sense of JS prototype chains
+ https://bugs.webkit.org/show_bug.cgi?id=157760
+
+ Reviewed by Joseph Pecoraro.
+
+ There was an assumption that we would bottom out in "Object". This is
+ not true for many reasons. JS objects may not end in Object.prototype.
+ Also, our mechanism of grabbing an Object's class name may also not
+ bottom out in "Object". We were seeing this in the JS objects we use
+ in the InjectedScriptSource.js inspector script.
+
+ * runtime/TypeSet.cpp:
+ (JSC::StructureShape::leastCommonAncestor):
+ * tests/typeProfiler/weird-prototype-chain.js: Added.
+ (wrapper.foo):
+ (wrapper.let.o2):
+ (wrapper):
+
2016-05-16 Joseph Pecoraro <pecor...@apple.com>
Unreviewed rollout r200924. Caused js/regress/string-replace-generic.html to fail.
Modified: trunk/Source/_javascript_Core/runtime/TypeSet.cpp (200979 => 200980)
--- trunk/Source/_javascript_Core/runtime/TypeSet.cpp 2016-05-16 23:21:32 UTC (rev 200979)
+++ trunk/Source/_javascript_Core/runtime/TypeSet.cpp 2016-05-16 23:27:27 UTC (rev 200980)
@@ -386,8 +386,10 @@
}
if (!foundLUB) {
origin = origin->m_proto;
- // All Objects must share the 'Object' Prototype. Therefore, at the very least, we should always converge on 'Object' before reaching a null prototype.
- RELEASE_ASSERT(origin);
+ // This is unlikely to happen, because we usually bottom out at "Object", but there are some sets of Objects
+ // that may cause this behavior. We fall back to "Object" because it's our version of Top.
+ if (!origin)
+ return ASCIILiteral("Object");
}
}
Added: trunk/Source/_javascript_Core/tests/typeProfiler/weird-prototype-chain.js (0 => 200980)
--- trunk/Source/_javascript_Core/tests/typeProfiler/weird-prototype-chain.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/typeProfiler/weird-prototype-chain.js 2016-05-16 23:27:27 UTC (rev 200980)
@@ -0,0 +1,21 @@
+load("./driver/driver.js");
+
+function wrapper() {
+
+function foo(o) {
+ let variableName = o;
+ return variableName;
+}
+let o1 = new Number;
+o1.__proto__ = null;
+foo(o1);
+
+let o2 = function() {}
+foo(o2);
+
+}
+wrapper();
+
+// ====== End test cases ======
+var types = findTypeForExpression(wrapper, "variableName;");
+assert(types.instructionTypeSet.displayTypeName === "Object", "'Object' should be our TOP.");
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
