Changeset 178894 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.cpp

Timestamp:

Jan 22, 2015, 12:54:52 AM (10 years ago)

Author:

Yusuke Suzuki

Message:

put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
​https://bugs.webkit.org/show_bug.cgi?id=140426

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

In the put_by_val_direct operation, we use JSObject::putDirect.
However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
This patch changes Identifier::asIndex() to return Optional<uint32_t>.
It forces callers to check the value is index or not explicitly.
Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

• bytecode/GetByIdStatus.cpp:

(JSC::GetByIdStatus::computeFor):

• bytecode/PutByIdStatus.cpp:

(JSC::PutByIdStatus::computeFor):

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitDirectPutById):

• dfg/DFGOperations.cpp:

(JSC::DFG::operationPutByValInternal):

• jit/JITOperations.cpp:
• jit/Repatch.cpp:

(JSC::emitPutTransitionStubAndGetOldStructure):

• jsc.cpp:
• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Arguments.cpp:

(JSC::Arguments::getOwnPropertySlot):
(JSC::Arguments::put):
(JSC::Arguments::deleteProperty):
(JSC::Arguments::defineOwnProperty):

• runtime/ArrayPrototype.cpp:

(JSC::arrayProtoFuncSort):

• runtime/JSArray.cpp:

(JSC::JSArray::defineOwnProperty):

• runtime/JSCJSValue.cpp:

(JSC::JSValue::putToPrimitive):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):

• runtime/JSObject.cpp:

(JSC::JSObject::put):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::putDirectMayBeIndex):
(JSC::JSObject::defineOwnProperty):

• runtime/JSObject.h:

(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putDirectInternal):

• runtime/JSString.cpp:

(JSC::JSString::getStringPropertyDescriptor):

• runtime/JSString.h:

(JSC::JSString::getStringPropertySlot):

• runtime/LiteralParser.cpp:

(JSC::LiteralParser<CharType>::parse):

• runtime/PropertyName.h:

(JSC::toUInt32FromCharacters):
(JSC::toUInt32FromStringImpl):
(JSC::PropertyName::asIndex):

• runtime/PropertyNameArray.cpp:

(JSC::PropertyNameArray::add):

• runtime/StringObject.cpp:

(JSC::StringObject::deleteProperty):

• runtime/Structure.cpp:

(JSC::Structure::prototypeChainMayInterceptStoreTo):

Source/WebCore:

Test: js/dfg-put-by-val-direct-with-edge-numbers.html

• bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::getOwnPropertySlot):

• bindings/js/JSHTMLAllCollectionCustom.cpp:

(WebCore::callHTMLAllCollection):
(WebCore::JSHTMLAllCollection::item):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateGetOwnPropertySlotBody):
(GenerateImplementation):

• bindings/scripts/test/JS/JSFloat64Array.cpp:

(WebCore::JSFloat64Array::getOwnPropertySlot):
(WebCore::JSFloat64Array::getOwnPropertyDescriptor):
(WebCore::JSFloat64Array::put):

• bindings/scripts/test/JS/JSTestEventTarget.cpp:

(WebCore::JSTestEventTarget::getOwnPropertySlot):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::getOwnPropertySlot):
(JSC::RuntimeArray::put):

LayoutTests:

• js/dfg-put-by-val-direct-with-edge-numbers-expected.txt: Added.
• js/dfg-put-by-val-direct-with-edge-numbers.html: Added.
• js/script-tests/dfg-put-by-val-direct-with-edge-numbers.js: Added.

(lookupWithKey):
(dfgShouldThrow):
(lookupWithKey2):
(toStringThrowsError.toString):

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.cpp (modified) (7 diffs)

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -340 +340 @@
     // Try indexed put first. This is required for correctness, since loads on property names that appear like
     // valid indices will never look in the named property storage.
-    unsigned i = propertyName.asIndex();
-    if (i != PropertyName::NotAnIndex) {
-        putByIndex(thisObject, exec, i, value, slot.isStrictMode());
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        putByIndex(thisObject, exec, index.value(), value, slot.isStrictMode());
         return;
     }
@@ -1199 +1198 @@
     ASSERT(value.isGetterSetter() && (attributes & Accessor));
 
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
-        putDirectIndex(exec, index, value, attributes, PutDirectIndexLikePutDirect);
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
+        putDirectIndex(exec, index.value(), value, attributes, PutDirectIndexLikePutDirect);
         return;
     }
@@ -1210 +1208 @@
 void JSObject::putDirectCustomAccessor(VM& vm, PropertyName propertyName, JSValue value, unsigned attributes)
 {
-    ASSERT(propertyName.asIndex() == PropertyName::NotAnIndex);
+    ASSERT(!propertyName.asIndex());
 
     PutPropertySlot slot(this);
@@ -1258 +1256 @@
     JSObject* thisObject = jsCast<JSObject*>(cell);
     
-    unsigned i = propertyName.asIndex();
-    if (i != PropertyName::NotAnIndex)
-        return thisObject->methodTable(exec->vm())->deletePropertyByIndex(thisObject, exec, i);
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        return thisObject->methodTable(exec->vm())->deletePropertyByIndex(thisObject, exec, index.value());
 
     if (!thisObject->staticFunctionsReified())
@@ -2503 +2500 @@
 void JSObject::putDirectMayBeIndex(ExecState* exec, PropertyName propertyName, JSValue value)
 {
-    unsigned asIndex = propertyName.asIndex();
-    if (asIndex == PropertyName::NotAnIndex)
+    if (Optional<uint32_t> index = propertyName.asIndex())
+        putDirectIndex(exec, index.value(), value);
+    else
         putDirect(exec->vm(), propertyName, value);
-    else
-        putDirectIndex(exec, asIndex, value);
 }
 
@@ -2660 +2656 @@
 {
     // If it's an array index, then use the indexed property storage.
-    unsigned index = propertyName.asIndex();
-    if (index != PropertyName::NotAnIndex) {
+    if (Optional<uint32_t> index = propertyName.asIndex()) {
         // c. Let succeeded be the result of calling the default [[DefineOwnProperty]] internal method (8.12.9) on A passing P, Desc, and false as arguments.
         // d. Reject if succeeded is false.
@@ -2668 +2663 @@
         // e.ii. Call the default [[DefineOwnProperty]] internal method (8.12.9) on A passing "length", oldLenDesc, and false as arguments. This call will always return true.
         // f. Return true.
-        return object->defineOwnIndexedProperty(exec, index, descriptor, throwException);
+        return object->defineOwnIndexedProperty(exec, index.value(), descriptor, throwException);
     }