[webkit-changes] [274406] trunk/Source/JavaScriptCore

[shvaikalesh]

Title: [274406] trunk/Source/_javascript_Core

Revision

274406

Author

shvaikal...@gmail.com

Date

2021-03-14 15:18:40 -0700 (Sun, 14 Mar 2021)

Log Message

REGRESSION (r274308): Two assertions in JSGlobalObject::defineOwnProperty() are failing
https://bugs.webkit.org/show_bug.cgi?id=223134

Reviewed by Yusuke Suzuki.

This patch:

1. Simplifies exception check after validateAndApplyPropertyDescriptor() as it
   conditionally throws on failure.
2. Creates new SymbolTableEntry when global variable is redefined as read-only
   because setAttributes() performs pack(), which doesn't support fat entries.

Due to #2, symbolTableGet() overload is simplified to return fast entry, and
setAttributes() is removed as unused.

* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::defineOwnProperty):
* runtime/JSSymbolTableObject.h:
(JSC::symbolTableGet):
* runtime/SymbolTable.h:
(JSC::SymbolTableEntry::getAttributes const):
(JSC::SymbolTableEntry::setAttributes): Deleted.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp
• trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h
• trunk/Source/_javascript_Core/runtime/SymbolTable.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (274405 => 274406)

--- trunk/Source/_javascript_Core/ChangeLog	2021-03-14 22:12:11 UTC (rev 274405)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-03-14 22:18:40 UTC (rev 274406)
@@ -1,3 +1,28 @@
+2021-03-14  Alexey Shvayka  <shvaikal...@gmail.com>
+
+        REGRESSION (r274308): Two assertions in JSGlobalObject::defineOwnProperty() are failing
+        https://bugs.webkit.org/show_bug.cgi?id=223134
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch:
+
+        1. Simplifies exception check after validateAndApplyPropertyDescriptor() as it
+           conditionally throws on failure.
+        2. Creates new SymbolTableEntry when global variable is redefined as read-only
+           because setAttributes() performs pack(), which doesn't support fat entries.
+
+        Due to #2, symbolTableGet() overload is simplified to return fast entry, and
+        setAttributes() is removed as unused.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::defineOwnProperty):
+        * runtime/JSSymbolTableObject.h:
+        (JSC::symbolTableGet):
+        * runtime/SymbolTable.h:
+        (JSC::SymbolTableEntry::getAttributes const):
+        (JSC::SymbolTableEntry::setAttributes): Deleted.
+
 2021-03-14  Yusuke Suzuki  <ysuz...@apple.com>
 
         [Big Sur arm64] testb3 crashing

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (274405 => 274406)

--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2021-03-14 22:12:11 UTC (rev 274405)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2021-03-14 22:18:40 UTC (rev 274406)
@@ -1484,13 +1484,13 @@
     auto scope = DECLARE_THROW_SCOPE(vm);
     JSGlobalObject* thisObject = jsCast<JSGlobalObject*>(object);
 
-    SymbolTableEntry entry;
+    SymbolTableEntry::Fast entry;
     PropertyDescriptor currentDescriptor;
     if (symbolTableGet(thisObject, propertyName, entry, currentDescriptor)) {
         bool isExtensible = false; // ignored since current descriptor is present
         bool isCurrentDefined = true;
         bool isCompatibleDescriptor = validateAndApplyPropertyDescriptor(globalObject, nullptr, propertyName, isExtensible, descriptor, isCurrentDefined, currentDescriptor, shouldThrow);
-        EXCEPTION_ASSERT(!!scope.exception() == !isCompatibleDescriptor);
+        RETURN_IF_EXCEPTION(scope, false);
         if (!isCompatibleDescriptor)
             return false;
 
@@ -1502,8 +1502,7 @@
             scope.assertNoException();
         }
         if (descriptor.writablePresent() && !descriptor.writable() && !entry.isReadOnly()) {
-            entry.setAttributes(static_cast<unsigned>(PropertyAttribute::ReadOnly));
-            thisObject->symbolTable()->set(propertyName.uid(), entry);
+            thisObject->symbolTable()->set(propertyName.uid(), SymbolTableEntry(entry.varOffset(), entry.getAttributes() | PropertyAttribute::ReadOnly));
             thisObject->varReadOnlyWatchpoint()->fireAll(vm, "GlobalVar was redefined as ReadOnly");
         }
         return true;

Modified: trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h (274405 => 274406)

--- trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h	2021-03-14 22:12:11 UTC (rev 274405)
+++ trunk/Source/_javascript_Core/runtime/JSSymbolTableObject.h	2021-03-14 22:18:40 UTC (rev 274406)
@@ -99,7 +99,7 @@
 
 template<typename SymbolTableObjectType>
 inline bool symbolTableGet(
-    SymbolTableObjectType* object, PropertyName propertyName, SymbolTableEntry& entry, PropertyDescriptor& descriptor)
+    SymbolTableObjectType* object, PropertyName propertyName, SymbolTableEntry::Fast& entry, PropertyDescriptor& descriptor)
 {
     SymbolTable& symbolTable = *object->symbolTable();
     ConcurrentJSLocker locker(symbolTable.m_lock);

Modified: trunk/Source/_javascript_Core/runtime/SymbolTable.h (274405 => 274406)

--- trunk/Source/_javascript_Core/runtime/SymbolTable.h	2021-03-14 22:12:11 UTC (rev 274405)
+++ trunk/Source/_javascript_Core/runtime/SymbolTable.h	2021-03-14 22:18:40 UTC (rev 274406)
@@ -263,11 +263,6 @@
     {
         return getFast().getAttributes();
     }
-    
-    void setAttributes(unsigned attributes)
-    {
-        pack(varOffset(), isWatchable(), attributes & PropertyAttribute::ReadOnly, attributes & PropertyAttribute::DontEnum);
-    }
 
     bool isReadOnly() const
     {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes