Changeset 168510 in webkit for trunk/Source/JavaScriptCore/jsc.cpp

Timestamp:

May 8, 2014, 5:22:30 PM (11 years ago)

Author:

[email protected]

Message:

Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
​https://bugs.webkit.org/show_bug.cgi?id=132695

Reviewed by Filip Pizlo.

We check in the case where we're accessing something other than the base object (e.g. the prototype),
but we fail to do so for the base object.

• jit/Repatch.cpp:

(JSC::tryCacheGetByID):
(JSC::tryBuildGetByIDList):

• jsc.cpp: Added some infrastructure to support this test. We don't currently trigger this bug anywhere in WebKit

because all of the values that are returned that could be impure are set to uncacheable anyways.
(WTF::ImpureGetter::ImpureGetter):
(WTF::ImpureGetter::createStructure):
(WTF::ImpureGetter::create):
(WTF::ImpureGetter::finishCreation):
(WTF::ImpureGetter::getOwnPropertySlot):
(WTF::ImpureGetter::visitChildren):
(WTF::ImpureGetter::setDelegate):
(GlobalObject::finishCreation):
(functionCreateImpureGetter):
(functionSetImpureGetterDelegate):

• tests/stress/impure-get-own-property-slot-inline-cache.js: Added.

(foo):

File:

• trunk/Source/JavaScriptCore/jsc.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/jsc.cpp

@@ -220 +220 @@
 };
 
+class ImpureGetter : public JSNonFinalObject {
+public:
+    ImpureGetter(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+    }
+
+    DECLARE_INFO;
+    typedef JSNonFinalObject Base;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    static ImpureGetter* create(VM& vm, Structure* structure, JSObject* delegate)
+    {
+        ImpureGetter* getter = new (NotNull, allocateCell<ImpureGetter>(vm.heap, sizeof(ImpureGetter))) ImpureGetter(vm, structure);
+        getter->finishCreation(vm, delegate);
+        return getter;
+    }
+
+    void finishCreation(VM& vm, JSObject* delegate)
+    {
+        Base::finishCreation(vm);
+        if (delegate)
+            m_delegate.set(vm, this, delegate);
+    }
+
+    static const unsigned StructureFlags = JSC::HasImpureGetOwnPropertySlot | JSC::OverridesGetOwnPropertySlot | JSC::OverridesVisitChildren | Base::StructureFlags;
+
+    static bool getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName name, PropertySlot& slot)
+    {
+        ImpureGetter* thisObject = jsCast<ImpureGetter*>(object);
+        
+        if (thisObject->m_delegate && thisObject->m_delegate->getPropertySlot(exec, name, slot))
+            return true;
+
+        return Base::getOwnPropertySlot(object, exec, name, slot);
+    }
+
+    static void visitChildren(JSCell* cell, SlotVisitor& visitor)
+    {
+        Base::visitChildren(cell, visitor);
+        ImpureGetter* thisObject = jsCast<ImpureGetter*>(cell);
+        visitor.append(&thisObject->m_delegate);
+    }
+
+    void setDelegate(VM& vm, JSObject* delegate)
+    {
+        m_delegate.set(vm, this, delegate);
+    }
+
+private:
+    WriteBarrier<JSObject> m_delegate;
+};
+
 const ClassInfo Element::s_info = { "Element", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(Element) };
 const ClassInfo Masquerader::s_info = { "Masquerader", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(Masquerader) };
 const ClassInfo Root::s_info = { "Root", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(Root) };
+const ClassInfo ImpureGetter::s_info = { "ImpureGetter", &Base::s_info, 0, 0, CREATE_METHOD_TABLE(ImpureGetter) };
 
 ElementHandleOwner* Element::handleOwner()
@@ -243 +301 @@
 
 static EncodedJSValue JSC_HOST_CALL functionCreateProxy(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionCreateImpureGetter(ExecState*);
+static EncodedJSValue JSC_HOST_CALL functionSetImpureGetterDelegate(ExecState*);
 
 static EncodedJSValue JSC_HOST_CALL functionSetElementRoot(ExecState*);
@@ -422 +482 @@
 
         addFunction(vm, "createProxy", functionCreateProxy, 1);
+
+        addFunction(vm, "createImpureGetter", functionCreateImpureGetter, 1);
+        addFunction(vm, "setImpureGetterDelegate", functionSetImpureGetterDelegate, 2);
         
         JSArray* array = constructEmptyArray(globalExec(), 0);
@@ -590 +653 @@
     JSProxy* proxy = JSProxy::create(exec->vm(), structure, jsTarget);
     return JSValue::encode(proxy);
+}
+
+EncodedJSValue JSC_HOST_CALL functionCreateImpureGetter(ExecState* exec)
+{
+    JSLockHolder lock(exec);
+    JSValue target = exec->argument(0);
+    JSObject* delegate = nullptr;
+    if (target.isObject())
+        delegate = asObject(target.asCell());
+    Structure* structure = ImpureGetter::createStructure(exec->vm(), exec->lexicalGlobalObject(), jsNull());
+    ImpureGetter* result = ImpureGetter::create(exec->vm(), structure, delegate);
+    return JSValue::encode(result);
+}
+
+EncodedJSValue JSC_HOST_CALL functionSetImpureGetterDelegate(ExecState* exec)
+{
+    JSLockHolder lock(exec);
+    JSValue base = exec->argument(0);
+    if (!base.isObject())
+        return JSValue::encode(jsUndefined());
+    JSValue delegate = exec->argument(1);
+    if (!delegate.isObject())
+        return JSValue::encode(jsUndefined());
+    ImpureGetter* impureGetter = jsCast<ImpureGetter*>(asObject(base.asCell()));
+    impureGetter->setDelegate(exec->vm(), asObject(delegate.asCell()));
+    return JSValue::encode(jsUndefined());
 }