Changeset 268656 in webkit for trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

Timestamp:

Oct 18, 2020, 6:24:38 AM (5 years ago)

Author:

Caio Lima

Message:

[ESNext][JIT] Add support for UntypedUse on PutPrivateName's base operand
​https://bugs.webkit.org/show_bug.cgi?id=217373

Reviewed by Yusuke Suzuki.

JSTests:

• stress/get-private-name-with-primitive.js: Added.
• stress/put-private-name-untyped-use.js: Added.
• stress/put-private-name-with-primitive.js: Added.

Source/JavaScriptCore:

This patch is adding UntypedUse for PutPrivateName's base operand to
avoid a OSR when we have a non-cell base.
Also, it is fixing a bug on private field operations get_private_name and
put_private_name to call ToObject on base to properly support
class fields spec text[1][2].

[1] - ​https://tc39.es/proposal-class-fields/#sec-getvalue
[2] - ​https://tc39.es/proposal-class-fields/#sec-putvalue

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutPrivateName):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):

• jit/JITOperations.cpp:

(JSC::setPrivateField):
(JSC::definePrivateField):
(JSC::JSC_DEFINE_JIT_OPERATION):
(JSC::getPrivateName):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emit_op_put_private_name):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::emit_op_put_private_name):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/CommonSlowPaths.cpp:

Previous implementation was wrongly considering that base was always
an object, causing segmentation fault when base was not an object.
We changed this to handle cases when base is not and object, following
what spec text specifies.

File:

• trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -1088 +1088 @@
     ASSERT(subscript.isSymbol());
 
-    baseValue.requireObjectCoercible(globalObject);
+    JSObject* baseObject = baseValue.toObject(globalObject);
     LLINT_CHECK_EXCEPTION();
     auto property = subscript.toPropertyKey(globalObject);
@@ -1094 +1094 @@
     ASSERT(property.isPrivateName());
 
-    PropertySlot slot(baseValue, PropertySlot::InternalMethodType::GetOwnProperty);
-    asObject(baseValue)->getPrivateField(globalObject, property, slot);
+    PropertySlot slot(baseObject, PropertySlot::InternalMethodType::GetOwnProperty);
+    baseObject->getPrivateField(globalObject, property, slot);
     LLINT_CHECK_EXCEPTION();
 
-    if (!LLINT_ALWAYS_ACCESS_SLOW && slot.isCacheable() && !slot.isUnset()) {
+    if (!LLINT_ALWAYS_ACCESS_SLOW && baseValue.isCell() && slot.isCacheable() && !slot.isUnset()) {
         auto& metadata = bytecode.metadata(codeBlock);
         {
@@ -1208 +1208 @@
     JSValue value = getOperand(callFrame, bytecode.m_value);
 
+    JSObject* baseObject = baseValue.toObject(globalObject);
+    LLINT_CHECK_EXCEPTION();
+
     auto property = subscript.toPropertyKey(globalObject);
     LLINT_CHECK_EXCEPTION();
@@ -1217 +1220 @@
     // and class methods are always in strict mode
     const bool isStrictMode = true;
-    auto baseObject = asObject(baseValue);
     PutPropertySlot slot(baseObject, isStrictMode);
     if (bytecode.m_putKind.isDefine())