- Revision
- 266496
- Author
- msab...@apple.com
- Date
- 2020-09-02 16:58:08 -0700 (Wed, 02 Sep 2020)
Log Message
ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
https://bugs.webkit.org/show_bug.cgi?id=216103
Reviewed by Saam Barati.
JSTests:
New teset.
* stress/custom-get-set-override.js: Added.
(overrideFunction.o.customFunction):
(overrideFunction):
Source/_javascript_Core:
Changed the ASSERT to an if statement. This checks to see if, the likely newly changed,
property is still a custom getter setter before caching its access as such.
* bytecode/ObjectPropertyConditionSet.cpp:
(JSC::generateConditionsForPrototypePropertyHitCustom):
* tools/JSDollarVM.cpp: Added test helper function.
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (266495 => 266496)
--- trunk/JSTests/ChangeLog 2020-09-02 23:34:16 UTC (rev 266495)
+++ trunk/JSTests/ChangeLog 2020-09-02 23:58:08 UTC (rev 266496)
@@ -1,3 +1,16 @@
+2020-09-02 Michael Saboff <msab...@apple.com>
+
+ ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=216103
+
+ Reviewed by Saam Barati.
+
+ New teset.
+
+ * stress/custom-get-set-override.js: Added.
+ (overrideFunction.o.customFunction):
+ (overrideFunction):
+
2020-09-02 Caio Lima <ticaiol...@gmail.com>
[ARMv7] Skip stress/intl-segmenter.js
Added: trunk/JSTests/stress/custom-get-set-override.js (0 => 266496)
--- trunk/JSTests/stress/custom-get-set-override.js (rev 0)
+++ trunk/JSTests/stress/custom-get-set-override.js 2020-09-02 23:58:08 UTC (rev 266496)
@@ -0,0 +1,18 @@
+// Verify that changing a custom setter to a Function doesn't cause any issues.
+
+function overrideFunction() {
+ let o = {};
+ let customThingy = $vm.createCustomTestGetterSetter();
+ o.__proto__ = customThingy;
+
+ o.customFunction = function() {
+ Object.defineProperty(customThingy, "customFunction", {
+ value: 42
+ });
+ };
+}
+noInline(overrideFunction);
+
+for (let i = 0; i < 1000; ++i) {
+ overrideFunction();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (266495 => 266496)
--- trunk/Source/_javascript_Core/ChangeLog 2020-09-02 23:34:16 UTC (rev 266495)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-09-02 23:58:08 UTC (rev 266496)
@@ -1,3 +1,17 @@
+2020-09-02 Michael Saboff <msab...@apple.com>
+
+ ASSERTION FAILED: value.isCell() && value.asCell()->type() == CustomGetterSetterType ./bytecode/ObjectPropertyConditionSet.cpp
+ https://bugs.webkit.org/show_bug.cgi?id=216103
+
+ Reviewed by Saam Barati.
+
+ Changed the ASSERT to an if statement. This checks to see if, the likely newly changed,
+ property is still a custom getter setter before caching its access as such.
+
+ * bytecode/ObjectPropertyConditionSet.cpp:
+ (JSC::generateConditionsForPrototypePropertyHitCustom):
+ * tools/JSDollarVM.cpp: Added test helper function.
+
2020-09-01 Yusuke Suzuki <ysuz...@apple.com>
Skip fast/css-custom-paint/out-of-memory-while-adding-worklet-module.html if Gigacage is not enabled
Modified: trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp (266495 => 266496)
--- trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp 2020-09-02 23:34:16 UTC (rev 266495)
+++ trunk/Source/_javascript_Core/bytecode/ObjectPropertyConditionSet.cpp 2020-09-02 23:58:08 UTC (rev 266496)
@@ -400,7 +400,13 @@
// notices a custom, it must be a CustomGetterSetterType cell or something
// in the static property table. Custom values get reified into CustomGetterSetters.
JSValue value = object->getDirect(offset);
- ASSERT_UNUSED(value, value.isCell() && value.asCell()->type() == CustomGetterSetterType);
+
+ if (!value.isCell() || value.asCell()->type() != CustomGetterSetterType) {
+ // The value could have just got changed to some other type, so check if it's still
+ // a custom getter setter.
+ return false;
+ }
+
kind = PropertyCondition::Equivalence;
} else if (structure->findPropertyHashEntry(uid))
kind = PropertyCondition::CustomFunctionEquivalence;
Modified: trunk/Source/_javascript_Core/tools/JSDollarVM.cpp (266495 => 266496)
--- trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-09-02 23:34:16 UTC (rev 266495)
+++ trunk/Source/_javascript_Core/tools/JSDollarVM.cpp 2020-09-02 23:58:08 UTC (rev 266496)
@@ -1485,6 +1485,23 @@
return true;
}
+static bool customFunctionSetter(JSGlobalObject* globalObject, EncodedJSValue, EncodedJSValue encodedValue)
+{
+ DollarVMAssertScope assertScope;
+ VM& vm = globalObject->vm();
+
+ JSValue value = JSValue::decode(encodedValue);
+ JSFunction* function = jsDynamicCast<JSFunction*>(vm, value);
+ if (!function)
+ return false;
+
+ auto callData = getCallData(vm, function);
+ MarkedArgumentBuffer args;
+ call(globalObject, function, callData, jsUndefined(), args);
+
+ return true;
+}
+
void JSTestCustomGetterSetter::finishCreation(VM& vm)
{
DollarVMAssertScope assertScope;
@@ -1499,6 +1516,9 @@
putDirectCustomAccessor(vm, Identifier::fromString(vm, "customAccessorGlobalObject"),
CustomGetterSetter::create(vm, customGetAccessorGlobalObject, nullptr), static_cast<unsigned>(PropertyAttribute::CustomAccessor));
+ putDirectCustomAccessor(vm, Identifier::fromString(vm, "customFunction"),
+ CustomGetterSetter::create(vm, customGetAccessor, customFunctionSetter), static_cast<unsigned>(PropertyAttribute::CustomAccessor));
+
}
const ClassInfo Element::s_info = { "Element", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(Element) };
