Bug 101720

Summary: If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 101718    
Attachments:
Description Flags
the patch
mhahnenberg: review-
the patch mhahnenberg: review+

Filip Pizlo
Reported 2012-11-09 00:25:00 PST
This allows us to cheaply validate whether or not a JSArray still has sane prototype chain, even if we're not using a structure check.
Attachments
the patch (10.51 KB, patch)
2012-11-09 14:26 PST, Filip Pizlo 		mhahnenberg: review-
DetailsFormatted DiffDiff
the patch (19.92 KB, patch)
2012-11-09 17:36 PST, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2012-11-09 14:26:13 PST
Created attachment 173365 [details] the patch
Mark Hahnenberg
Comment 2 2012-11-09 14:36:01 PST
Comment on attachment 173365 [details] the patch r- after doing some rubber ducky. Gotta watch out for "primordial" array structures from other global objects.
Filip Pizlo
Comment 3 2012-11-09 14:51:38 PST
(In reply to comment #2) > (From update of attachment 173365 [details]) > r- after doing some rubber ducky. Gotta watch out for "primordial" array structures from other global objects. Yeah. There's a much better way to do this. Just go full retard with OriginalArray.
Filip Pizlo
Comment 4 2012-11-09 17:36:35 PST
Created attachment 173414 [details] the patch
Mark Hahnenberg
Comment 5 2012-11-09 18:01:37 PST
Comment on attachment 173414 [details] the patch r=me
Filip Pizlo
Comment 6 2012-11-09 21:54:49 PST
Landed in http://trac.webkit.org/changeset/134151
Note You need to log in before you can comment on or make changes to this bug.