Changeset 267163 in webkit for trunk/Source/JavaScriptCore/runtime/PutPropertySlot.h

Timestamp:

Sep 16, 2020, 3:04:34 PM (5 years ago)

Author:

[email protected]

Message:

Don't IC a null custom accessor/value setter
​https://bugs.webkit.org/show_bug.cgi?id=216620
<rdar://problem/68976066>

Reviewed by Mark Lam.

JSTests:

• stress/dont-ic-null-custom-setter.js: Added.

Source/JavaScriptCore:

Our runtime allows CustomGetterSetter objects setter field to not contain an
actual C function to call. In such a scenario, the runtime just does nothing
except return false to the ::put code (which may result in throwing an
exception in strict mode code).

However, our IC code never considered whether this function could be nullptr.
The fix here is simple: don't IC such custom accessor/value setters.

• runtime/PutPropertySlot.h:

(JSC::PutPropertySlot::isCacheableCustom const):

File:

• trunk/Source/JavaScriptCore/runtime/PutPropertySlot.h (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/PutPropertySlot.h

@@ -113 +113 @@
     bool isCacheablePut() const { return isCacheable() && (m_type == NewProperty || m_type == ExistingProperty); }
     bool isCacheableSetter() const { return isCacheable() && m_type == SetterProperty; }
-    bool isCacheableCustom() const { return isCacheable() && (m_type == CustomValue || m_type == CustomAccessor); }
+    bool isCacheableCustom() const { return isCacheable() && (m_type == CustomValue || m_type == CustomAccessor) && !!m_putFunction; }
     bool isCustomAccessor() const { return isCacheable() && m_type == CustomAccessor; }
     bool isInitialization() const { return m_isInitialization; }