Changeset 255365 in webkit for trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

Timestamp:

Jan 29, 2020, 10:07:40 AM (5 years ago)

Author:

[email protected]

Message:

[JSC] Give up IC when unknown structure transition happens
​https://bugs.webkit.org/show_bug.cgi?id=206846

Reviewed by Mark Lam.

JSTests:

• stress/ensure-crash.js: Added.
• stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior-bad-transition-debug.js: Added.

(shouldBe):
(putter):
(not_string.toString):

• stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior-bad-transition.js: Added.

(shouldBe):
(putter):
(not_string.toString):

• stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior.js: Added.

(shouldBe):
(putter):
(not_string.toString):

• stress/incorrect-put-could-generate-invalid-ic-involving-dictionary-flatten.js: Added.

(shouldBe):
(dictionary):
(putter):
(not_string.toString):

Source/JavaScriptCore:

When we are creating Put IC for a new property, we grab the old Structure before performing
the put. For a custom ::put, our convention is that the implemented ::put should mark the PutPropertySlot
as non-cachable. The IC code relies on this in order to work correctly. If we didn't mark it as non-cacheable,
a semantic failure can happen. This patch hardens the code against this semantic failure case by giving up trying
to cache the IC when the newStructure calculated from oldStructure does not match against
the actual structure after the put operation.

• jit/Repatch.cpp:

(JSC::tryCachePutByID):
(JSC::repatchPutByID):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/Structure.cpp:

(JSC::Structure::flattenDictionaryStructure):

• tools/JSDollarVM.cpp:

(JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus):
(JSC::JSDollarVM::finishCreation):
(JSC::JSDollarVM::visitChildren):

• tools/JSDollarVM.h:

Source/WebCore:

IDL Code Generator should taint PutPropertySlot or taint implemented object to avoid Put IC caching
when it implements custom ::put operation which has side-effect regardless of Structure. Otherwise, IC can be setup
and IC can do fast path without consulting the custom ::put operation.

Test: js/dom/put-override-should-not-use-ic.html

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h:
• bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h:
• bindings/scripts/test/JS/JSTestPluginInterface.h:

Tools:

Add crash! annotation, which allows us to write a crashing JS test.

• Scripts/run-jsc-stress-tests:
• Scripts/webkitruby/jsc-stress-test-writer-default.rb:
• Scripts/webkitruby/jsc-stress-test-writer-playstation.rb:
• Scripts/webkitruby/jsc-stress-test-writer-ruby.rb:

LayoutTests:

• js/dom/put-override-should-not-use-ic-expected.txt: Added.
• js/dom/put-override-should-not-use-ic.html: Added.

File:

• trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (6 diffs)

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -683 +683 @@
 };
 
+class ObjectDoingSideEffectPutWithoutCorrectSlotStatus : public JSNonFinalObject {
+    using Base = JSNonFinalObject;
+public:
+    ObjectDoingSideEffectPutWithoutCorrectSlotStatus(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+        DollarVMAssertScope assertScope;
+    }
+
+    DECLARE_INFO;
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        DollarVMAssertScope assertScope;
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    static ObjectDoingSideEffectPutWithoutCorrectSlotStatus* create(VM& vm, Structure* structure)
+    {
+        DollarVMAssertScope assertScope;
+        ObjectDoingSideEffectPutWithoutCorrectSlotStatus* accessor = new (NotNull, allocateCell<ObjectDoingSideEffectPutWithoutCorrectSlotStatus>(vm.heap)) ObjectDoingSideEffectPutWithoutCorrectSlotStatus(vm, structure);
+        accessor->finishCreation(vm);
+        return accessor;
+    }
+
+    static bool put(JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot)
+    {
+        DollarVMAssertScope assertScope;
+        auto* thisObject = jsCast<ObjectDoingSideEffectPutWithoutCorrectSlotStatus*>(cell);
+        auto throwScope = DECLARE_THROW_SCOPE(globalObject->vm());
+        auto* string = value.toString(globalObject);
+        RETURN_IF_EXCEPTION(throwScope, false);
+        RELEASE_AND_RETURN(throwScope, Base::put(thisObject, globalObject, propertyName, string, slot));
+    }
+};
+
 class DOMJITNode : public JSNonFinalObject {
 public:
@@ -1306 +1342 @@
 
 const ClassInfo StaticCustomAccessor::s_info = { "StaticCustomAccessor", &Base::s_info, &staticCustomAccessorTable, nullptr, CREATE_METHOD_TABLE(StaticCustomAccessor) };
+const ClassInfo ObjectDoingSideEffectPutWithoutCorrectSlotStatus::s_info = { "ObjectDoingSideEffectPutWithoutCorrectSlotStatus", &Base::s_info, &staticCustomAccessorTable, nullptr, CREATE_METHOD_TABLE(ObjectDoingSideEffectPutWithoutCorrectSlotStatus) };
 
 ElementHandleOwner* Element::handleOwner()
@@ -2257 +2294 @@
 }
 
+static EncodedJSValue JSC_HOST_CALL functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus(JSGlobalObject* globalObject, CallFrame* callFrame)
+{
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+    JSLockHolder lock(vm);
+
+    auto* dollarVM = jsDynamicCast<JSDollarVM*>(vm, callFrame->thisValue());
+    RELEASE_ASSERT(dollarVM);
+    auto* result = ObjectDoingSideEffectPutWithoutCorrectSlotStatus::create(vm, dollarVM->objectDoingSideEffectPutWithoutCorrectSlotStatusStructure());
+    return JSValue::encode(result);
+}
+
 static EncodedJSValue JSC_HOST_CALL functionSetImpureGetterDelegate(JSGlobalObject* globalObject, CallFrame* callFrame)
 {
@@ -2801 +2850 @@
 #endif
     addFunction(vm, "createStaticCustomAccessor", functionCreateStaticCustomAccessor, 0);
+    addFunction(vm, "createObjectDoingSideEffectPutWithoutCorrectSlotStatus", functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus, 0);
     addFunction(vm, "getPrivateProperty", functionGetPrivateProperty, 2);
     addFunction(vm, "setImpureGetterDelegate", functionSetImpureGetterDelegate, 2);
@@ -2847 +2897 @@
     addFunction(vm, "isWasmSupported", functionIsWasmSupported, 0);
     addFunction(vm, "make16BitStringIfPossible", functionMake16BitStringIfPossible, 1);
+
+    m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure.set(vm, this, ObjectDoingSideEffectPutWithoutCorrectSlotStatus::createStructure(vm, globalObject, jsNull()));
 }
 
@@ -2863 +2915 @@
 }
 
+void JSDollarVM::visitChildren(JSCell* cell, SlotVisitor& visitor)
+{
+    JSDollarVM* thisObject = jsCast<JSDollarVM*>(cell);
+    Base::visitChildren(thisObject, visitor);
+    visitor.append(thisObject->m_objectDoingSideEffectPutWithoutCorrectSlotStatusStructure);
+}
+
 } // namespace JSC