REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren().

<https://webkit.org/b/151495>

Reviewed by Mark Lam.

Source/JavaScriptCore:

The copied space allocation in JSPropertyNameEnumerator::finishCreation()
may end up triggering a GC, and so JSPropertyNameEnumerator::visitChildren()
would get called while m_propertyNames was still null.

This patch fixes that by having visitChildren() check for pointer nullity
instead of the number of names, since that is non-zero even before the
allocation is made.

Added a test that induces GC during JSPropertyNameEnumerator construction
to cover this bug.

Test: property-name-enumerator-gc-151495.js

* runtime/JSPropertyNameEnumerator.cpp:
(JSC::JSPropertyNameEnumerator::visitChildren):

LayoutTests:

* js/property-name-enumerator-gc-151495.html: Added.
* js/property-name-enumerator-gc-151495-expected.txt: Added.
* js/script-tests/property-name-enumerator-gc-151495.js: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@192722 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Author: [email protected]

LayoutTests/ChangeLog

@@ -1,3 +1,14 @@
+2015-11-20  Andreas Kling  <[email protected]>
+
+        REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren().
+        <https://webkit.org/b/151495>
+
+        Reviewed by Mark Lam.
+
+        * js/property-name-enumerator-gc-151495.html: Added.
+        * js/property-name-enumerator-gc-151495-expected.txt: Added.
+        * js/script-tests/property-name-enumerator-gc-151495.js: Added.
+
 2015-11-20  Brady Eidson  <[email protected]>
 
         Modern IDB: After versionchange transactions complete, fire onsuccess on the original IDBOpenDBRequest

LayoutTests/js/property-name-enumerator-gc-151495-expected.txt

@@ -0,0 +1,9 @@
+Regression test for https://webkit.org/b/151495. - This test should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

LayoutTests/js/property-name-enumerator-gc-151495.html

@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/property-name-enumerator-gc-151495.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>

LayoutTests/js/script-tests/property-name-enumerator-gc-151495.js

@@ -0,0 +1,9 @@
+description("Regression test for https://webkit.org/b/151495. - This test should not crash.");
+
+var x = { a: 1, b: 2, c: 3, d: 4, e: 5, f: 6 };
+for (i = 0; i < 2000; ++i) {
+    // Keep adding new properties...
+    x["foo" + i] = 1;
+    // ...to force creation of new JSPropertyNameEnumerator objects.
+    for (j in x) { }
+}

Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,26 @@
+2015-11-20  Andreas Kling  <[email protected]>
+
+        REGRESSION(r192536): Null pointer dereference in JSPropertyNameEnumerator::visitChildren().
+        <https://webkit.org/b/151495>
+
+        Reviewed by Mark Lam.
+
+        The copied space allocation in JSPropertyNameEnumerator::finishCreation()
+        may end up triggering a GC, and so JSPropertyNameEnumerator::visitChildren()
+        would get called while m_propertyNames was still null.
+
+        This patch fixes that by having visitChildren() check for pointer nullity
+        instead of the number of names, since that is non-zero even before the
+        allocation is made.
+
+        Added a test that induces GC during JSPropertyNameEnumerator construction
+        to cover this bug.
+
+        Test: property-name-enumerator-gc-151495.js
+
+        * runtime/JSPropertyNameEnumerator.cpp:
+        (JSC::JSPropertyNameEnumerator::visitChildren):
+
 2015-11-20  Andreas Kling  <[email protected]>
 
         GC timers should carry on gracefully when Heap claims it grew from GC.

Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.cpp

@@ -89,12 +89,12 @@ void JSPropertyNameEnumerator::visitChildren(JSCell* cell, SlotVisitor& visitor)
     JSPropertyNameEnumerator* thisObject = jsCast<JSPropertyNameEnumerator*>(cell);
     visitor.append(&thisObject->m_prototypeChain);
 
-    if (thisObject->cachedPropertyNameCount()) {
+    if (auto* propertyNames = thisObject->m_propertyNames.getWithoutBarrier()) {
         for (unsigned i = 0; i < thisObject->cachedPropertyNameCount(); ++i)
-            visitor.append(&thisObject->m_propertyNames.getWithoutBarrier()[i]);
+            visitor.append(&propertyNames[i]);
         visitor.copyLater(
             thisObject, JSPropertyNameEnumeratorCopyToken,
-            thisObject->m_propertyNames.getWithoutBarrier(), thisObject->propertyNameCacheSize());
+            propertyNames, thisObject->propertyNameCacheSize());
     }
 }