WebKit Bugzilla
Attachment 372851 Details for
Bug 196315
: Structure::create should call didBecomePrototype()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-196315-20190625115745.patch (text/plain), 5.98 KB, created by
Keith Miller
on 2019-06-25 11:57:46 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Keith Miller
Created:
2019-06-25 11:57:46 PDT
Size:
5.98 KB
patch
obsolete
>Subversion Revision: 246780 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index b2fef6a3164ab867c58a8f425426bec9603628a0..7b9eddcc7a9ea9da3c8c93cbcb686b6330053383 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,23 @@ >+2019-06-25 Keith Miller <keith_miller@apple.com> >+ >+ Structure::create should call didBecomePrototype() >+ https://bugs.webkit.org/show_bug.cgi?id=196315 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Structure::create should also assert that the indexing type makes sense >+ for the prototype being used. >+ >+ * runtime/JSObject.h: >+ * runtime/Structure.cpp: >+ (JSC::Structure::isValidPrototype): >+ (JSC::Structure::changePrototypeTransition): >+ * runtime/Structure.h: >+ (JSC::Structure::create): Deleted. >+ * runtime/StructureInlines.h: >+ (JSC::Structure::create): >+ (JSC::Structure::setPrototypeWithoutTransition): >+ > 2019-06-24 Commit Queue <commit-queue@webkit.org> > > Unreviewed, rolling out r246714. >diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h >index e0b875a9d3954cae4040111b936cba9dbe57c8a4..e1b2185739e5b4d6cfac8e21f9b5942664d75c50 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.h >+++ b/Source/JavaScriptCore/runtime/JSObject.h >@@ -744,7 +744,7 @@ public: > bool isSealed(VM& vm) { return structure(vm)->isSealed(vm); } > bool isFrozen(VM& vm) { return structure(vm)->isFrozen(vm); } > >- bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const; >+ JS_EXPORT_PRIVATE bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const; > JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName); > bool needsSlowPutIndexing(VM&) const; > >diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp >index ff38bb987bf3b645136f428e9cae33f1b5729f4c..293c46472e748941ca9cc2adac16a3d2dc5deeec 100644 >--- a/Source/JavaScriptCore/runtime/Structure.cpp >+++ b/Source/JavaScriptCore/runtime/Structure.cpp >@@ -321,6 +321,11 @@ Structure* Structure::create(PolyProtoTag, VM& vm, JSGlobalObject* globalObject, > return result; > } > >+bool Structure::isValidPrototype(JSValue prototype) >+{ >+ return prototype.isNull() || (prototype.isObject() && prototype.getObject()->mayBePrototype()); >+} >+ > void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*& structure, PropertyTable*& table) > { > ASSERT(structures.isEmpty()); >@@ -544,7 +549,7 @@ Structure* Structure::removePropertyTransition(VM& vm, Structure* structure, Pro > > Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype, DeferredStructureTransitionWatchpointFire& deferred) > { >- ASSERT(prototype.isObject() || prototype.isNull()); >+ ASSERT(isValidPrototype(prototype)); > > DeferGC deferGC(vm.heap); > Structure* transition = create(vm, structure, &deferred); >diff --git a/Source/JavaScriptCore/runtime/Structure.h b/Source/JavaScriptCore/runtime/Structure.h >index 4b0d031d44038dcb2e90bb760c51c41d4a7f1088..c6a65e424b0eeda372f5cfc733e5740921ac3c2b 100644 >--- a/Source/JavaScriptCore/runtime/Structure.h >+++ b/Source/JavaScriptCore/runtime/Structure.h >@@ -138,11 +138,13 @@ public: > return &vm.structureSpace; > } > >+ JS_EXPORT_PRIVATE static bool isValidPrototype(JSValue); >+ > protected: > void finishCreation(VM& vm) > { > Base::finishCreation(vm); >- ASSERT(m_prototype.get().isEmpty() || m_prototype.isObject() || m_prototype.isNull()); >+ ASSERT(m_prototype.get().isEmpty() || isValidPrototype(m_prototype.get())); > } > > void finishCreation(VM& vm, const Structure* previous) >@@ -786,16 +788,4 @@ private: > uint32_t m_propertyHash; > }; > >-// We deliberately put Structure::create here in Structure.h instead of StructureInlines.h, because >-// it is used everywhere. This is so we don't have to hunt down all the places where we would need >-// to #include StructureInlines.h otherwise. >-inline Structure* Structure::create(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity) >-{ >- ASSERT(vm.structureStructure); >- ASSERT(classInfo); >- Structure* structure = new (NotNull, allocateCell<Structure>(vm.heap)) Structure(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity); >- structure->finishCreation(vm); >- return structure; >-} >- > } // namespace JSC >diff --git a/Source/JavaScriptCore/runtime/StructureInlines.h b/Source/JavaScriptCore/runtime/StructureInlines.h >index 4a30f37dd75a63150375b891f9de8210d4433f0c..e3fcaef0c1593debef2e59e42e9511873ba097c0 100644 >--- a/Source/JavaScriptCore/runtime/StructureInlines.h >+++ b/Source/JavaScriptCore/runtime/StructureInlines.h >@@ -35,6 +35,20 @@ > > namespace JSC { > >+inline Structure* Structure::create(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity) >+{ >+ ASSERT(vm.structureStructure); >+ ASSERT(classInfo); >+ if (auto* object = prototype.getObject()) { >+ ASSERT(!object->anyObjectInChainMayInterceptIndexedAccesses(vm) || hasSlowPutArrayStorage(indexingType) || !hasIndexedProperties(indexingType)); >+ object->didBecomePrototype(); >+ } >+ >+ Structure* structure = new (NotNull, allocateCell<Structure>(vm.heap)) Structure(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity); >+ structure->finishCreation(vm); >+ return structure; >+} >+ > inline Structure* Structure::createStructure(VM& vm) > { > ASSERT(!vm.structureStructure); >@@ -493,6 +507,7 @@ inline PropertyOffset Structure::removePropertyWithoutTransition(VM&, PropertyNa > > ALWAYS_INLINE void Structure::setPrototypeWithoutTransition(VM& vm, JSValue prototype) > { >+ ASSERT(isValidPrototype(prototype)); > m_prototype.set(vm, this, prototype); > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=372851">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 196315
:
366101
|
366108
|
366136
|
366853
|
366861
|
367056
|
367057
|
367061
|
367081
|
367089
|
367097
|
367140
|
367363
|
367369
|
367423
|
368352
|
368983
|
369025
|
369414
|
369598
|
369622
|
369640
|
372674
|
372675
| 372851