Changeset 178751 in webkit for trunk/Source/JavaScriptCore/jit

Timestamp:

Jan 20, 2015, 1:14:48 PM (10 years ago)

Author:

Yusuke Suzuki

Message:

put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
​https://bugs.webkit.org/show_bug.cgi?id=140426

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

In the put_by_val_direct operation, we use JSObject::putDirect.
However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
This patch changes Identifier::asIndex() to return Optional<uint32_t>.
It forces callers to check the value is index or not explicitly.
Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFor):

• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::computeFor):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitDirectPutById):

• dfg/DFGOperations.cpp:

(JSC::DFG::operationPutByValInternal):

• jit/JITOperations.cpp:
• jit/Repatch.cpp:

(JSC::emitPutTransitionStubAndGetOldStructure):

• jsc.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Arguments.cpp:

(JSC::Arguments::getOwnPropertySlot):
(JSC::Arguments::put):
(JSC::Arguments::deleteProperty):
(JSC::Arguments::defineOwnProperty):

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncSort):

• runtime/JSArray.cpp:

(JSC::JSArray::defineOwnProperty):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):

• runtime/JSObject.cpp:

(JSC::JSObject::put):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::putDirectMayBeIndex):
(JSC::JSObject::defineOwnProperty):

• runtime/JSObject.h:

(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putDirectInternal):

• runtime/JSString.cpp:

(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::JSString::getStringPropertySlot):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

• runtime/PropertyName.h:

(JSC::toUInt32FromCharacters):
(JSC::toUInt32FromStringImpl):
(JSC::PropertyName::asIndex):

• runtime/PropertyNameArray.cpp:

(JSC::PropertyNameArray::add):

• runtime/StringObject.cpp:

(JSC::StringObject::deleteProperty):

• runtime/Structure.cpp:

(JSC::Structure::prototypeChainMayInterceptStoreTo):

Source/WebCore:

Test: js/dfg-put-by-val-direct-with-edge-numbers.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getOwnPropertySlot):

• bindings/js/JSHTMLAllCollectionCustom.cpp:

(WebCore::callHTMLAllCollection):
(WebCore::JSHTMLAllCollection::item):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateGetOwnPropertySlotBody):
(GenerateImplementation):

• bindings/scripts/test/JS/JSFloat64Array.cpp:

(WebCore::JSFloat64Array::getOwnPropertySlot):
(WebCore::JSFloat64Array::getOwnPropertyDescriptor):
(WebCore::JSFloat64Array::put):

• bindings/scripts/test/JS/JSTestEventTarget.cpp:

(WebCore::JSTestEventTarget::getOwnPropertySlot):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::getOwnPropertySlot):
(JSC::RuntimeArray::put):

LayoutTests:

• js/dfg-put-by-val-direct-with-edge-numbers-expected.txt: Added.
• js/dfg-put-by-val-direct-with-edge-numbers.html: Added.
• js/script-tests/dfg-put-by-val-direct-with-edge-numbers.js: Added.

(lookupWithKey):
(lookupWithKey2):
(toStringThrowsError.toString):

• resources/js-test-pre.js:

Location:

trunk/Source/JavaScriptCore/jit

Files:

• JITOperations.cpp (modified) (2 diffs)
• Repatch.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -52 +52 @@
 #include "LegacyProfiler.h"
 #include "ObjectConstructor.h"
+#include "PropertyName.h"
 #include "Repatch.h"
 #include "RepatchBuffer.h"
@@ -481 +482 @@
 static void directPutByVal(CallFrame* callFrame, JSObject* baseObject, JSValue subscript, JSValue value)
 {
+    bool isStrictMode = callFrame->codeBlock()->isStrictMode();
     if (LIKELY(subscript.isUInt32())) {
-        uint32_t i = subscript.asUInt32();
-        baseObject->putDirectIndex(callFrame, i, value);
-    } else if (isName(subscript)) {
-        PutPropertySlot slot(baseObject, callFrame->codeBlock()->isStrictMode());
+        uint32_t index = subscript.asUInt32();
+        ASSERT_WITH_MESSAGE(index != PropertyName::NotAnIndex, "Since JSValue::isUInt32 returns true only when the boxed value is int32_t and positive, it doesn't return true for uint32_t max value that is PropertyName::NotAnIndex.");
+        baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+        return;
+    }
+
+    if (subscript.isDouble()) {
+        double subscriptAsDouble = subscript.asDouble();
+        uint32_t subscriptAsUInt32 = static_cast<uint32_t>(subscriptAsDouble);
+        if (subscriptAsDouble == subscriptAsUInt32 && subscriptAsUInt32 != PropertyName::NotAnIndex) {
+            baseObject->putDirectIndex(callFrame, subscriptAsUInt32, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+            return;
+        }
+    }
+
+    if (isName(subscript)) {
+        PutPropertySlot slot(baseObject, isStrictMode);
         baseObject->putDirect(callFrame->vm(), jsCast<NameInstance*>(subscript.asCell())->privateName(), value, slot);
-    } else {
-        Identifier property = subscript.toString(callFrame)->toIdentifier(callFrame);
-        if (!callFrame->vm().exception()) { // Don't put to an object if toString threw an exception.
-            PutPropertySlot slot(baseObject, callFrame->codeBlock()->isStrictMode());
-            baseObject->putDirect(callFrame->vm(), property, value, slot);
-        }
+        return;
+    }
+
+    // Don't put to an object if toString throws an exception.
+    Identifier property = subscript.toString(callFrame)->toIdentifier(callFrame);
+    if (callFrame->vm().exception())
+        return;
+
+    PropertyName propertyName(property);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        baseObject->putDirectIndex(callFrame, index.value(), value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
+    else {
+        PutPropertySlot slot(baseObject, isStrictMode);
+        baseObject->putDirect(callFrame->vm(), propertyName, value, slot);
     }
 }

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -990 +990 @@
     PropertyName pname(ident);
     Structure* oldStructure = structure;
-    if (!oldStructure->isObject() || oldStructure->isDictionary() || pname.asIndex() != PropertyName::NotAnIndex)
+    if (!oldStructure->isObject() || oldStructure->isDictionary() || pname.asIndex())
         return nullptr;