Changeset 218203 in webkit for trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

Timestamp:

Jun 13, 2017, 2:52:04 PM (8 years ago)

Author:

[email protected]

Message:

DFG doesn't properly handle a property that is change to read only in a prototype
​https://bugs.webkit.org/show_bug.cgi?id=173321

Reviewed by Filip Pizlo.

JSTests:

• ChakraCore.yaml: Renabled fieldopts/objtypespec-newobj-invalidation.1.js.
• stress/regress-173321.js: Added new regression test.

(shouldBe):
(SimpleObject):
(test):

Source/JavaScriptCore:

We need to check for ReadOnly as well as a not being a Setter when checking
an AbsenceOfSetter.

• bytecode/PropertyCondition.cpp:

(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):

File:

• trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

@@ -135 +135 @@
         PropertyOffset currentOffset = structure->getConcurrently(uid(), currentAttributes);
         if (currentOffset != invalidOffset) {
-            if (currentAttributes & (Accessor | CustomAccessor)) {
+            // FIXME: Given the addition of the check for ReadOnly attributes, we should refactor
+            // instances of AbsenceOfSetter.
+            // https://bugs.webkit.org/show_bug.cgi?id=173322 - Refactor AbsenceOfSetter to something like AbsenceOfSetEffects
+            if (currentAttributes & (ReadOnly | Accessor | CustomAccessor)) {
                 if (verbose) {
                     dataLog(