Changeset 224416 in webkit for trunk/Source/JavaScriptCore/runtime/Lookup.h

Timestamp:

Nov 3, 2017, 12:57:01 PM (8 years ago)

Author:

[email protected]

Message:

PutProperytSlot should inform the IC about the property before effects.
​https://bugs.webkit.org/show_bug.cgi?id=179262

Reviewed by Mark Lam.

This patch fixes an issue where we choose to cache setters based on
incorrect information. If we did so we might end up OSR exiting
more than we would otherwise need to. The new model is that the
PutPropertySlot should inform the IC of what the property looked
like before any potential side effects might have occurred.

• runtime/JSObject.cpp:

(JSC::JSObject::putInlineSlow):

• runtime/Lookup.h:

(JSC::putEntry):

File:

• trunk/Source/JavaScriptCore/runtime/Lookup.h (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/Lookup.h

@@ -290 +290 @@
         bool isAccessor = entry->attributes() & PropertyAttribute::CustomAccessor;
         JSValue updateThisValue = entry->attributes() & PropertyAttribute::CustomAccessor ? slot.thisValue() : JSValue(base);
-        bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
-        RETURN_IF_EXCEPTION(scope, false);
+        // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
         if (isAccessor)
             slot.setCustomAccessor(base, entry->propertyPutter());
         else
             slot.setCustomValue(base, entry->propertyPutter());
+
+        bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+        RETURN_IF_EXCEPTION(scope, false);
         return result;
     }