Changeset 295608 in webkit for trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

Timestamp:

Jun 16, 2022, 1:11:51 PM (3 years ago)

Author:

Alexey Shvayka

Message:

CommonSlowPaths::putDirectWithReify() is incorrect for DontDelete properties
​https://bugs.webkit.org/show_bug.cgi?id=241651
<rdar://94016559>

Reviewed by Saam Barati.

Provided the base object has no read-only / accessor / custom properties,
putDirectWithReify() is incorrect for an object with non-configurable property,
whether it's on the structure or a non-reified static none.

In that case, putDirectWithReify() ignores existing non-configurable / non-reified
descriptor and produces an incorrect property descriptor instead of throwing TypeError.
One it's observed in the wild is via an instance field [1].

The issue was due to incorrect ReadOnly-focused check for putDirect() fast path,
which would be correct for Set but not for DefineOwnProperty.

Apart from introducing tighter fast patch check, this change extracts
JSFunction::mayHaveNonReifiedPrototype() helper, cleaning up JSFunction's overrides,
and removes now unused PutModeDefineOwnPropertyIgnoringExtensibility, which apart from
ignoring extensibility, also ignored read-only / accessor / custom properties,
which felt a bit counter-intuitive.

This change carefully preserves the fast path introduced in webkit.org/b/232479.

[1]: ​https://tc39.es/ecma262/#sec-definefield

• Source/JavaScriptCore/runtime/CommonSlowPaths.h:

(JSC::CommonSlowPaths::originalStructureBeforePut):
(JSC::CommonSlowPaths::canPutDirectFast):
(JSC::CommonSlowPaths::putDirectWithReify):
(JSC::CommonSlowPaths::putDirectAccessorWithReify):

• Source/JavaScriptCore/runtime/JSFunction.cpp:

(JSC::JSFunction::getOwnPropertySlot):
(JSC::JSFunction::put):
(JSC::JSFunction::deleteProperty):
(JSC::JSFunction::defineOwnProperty):
(JSC::JSFunction::reifyLazyPropertyIfNeeded):
(JSC::JSFunction::reifyLazyPrototypeIfNeeded):

• Source/JavaScriptCore/runtime/JSFunction.h:
• Source/JavaScriptCore/runtime/JSFunctionInlines.h:

(JSC::JSFunction::mayHaveNonReifiedPrototype):

• Source/JavaScriptCore/runtime/JSObject.cpp:

(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::putDirectNonIndexAccessor):

• Source/JavaScriptCore/runtime/JSObject.h:

(JSC::JSObject::putDirect):
(JSC::JSObject::putDirectRespectingExtensibility): Deleted.

• Source/JavaScriptCore/runtime/JSObjectInlines.h:

(JSC::JSObject::putDirectInternal):

• Source/JavaScriptCore/tools/JSDollarVM.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):
(JSC::JSDollarVM::finishCreation):

Canonical link: ​https://commits.webkit.org/251613@main

File:

• trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (5 diffs)

trunk/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -888 +888 @@
 };
 
+static JSC_DECLARE_HOST_FUNCTION(staticDontDeleteDontEnumMethod);
+
+class StaticDontDeleteDontEnum : public JSNonFinalObject {
+public:
+    using Base = JSNonFinalObject;
+    static constexpr unsigned StructureFlags = Base::StructureFlags | HasStaticPropertyTable;
+
+    StaticDontDeleteDontEnum(VM& vm, Structure* structure)
+        : Base(vm, structure)
+    {
+        DollarVMAssertScope assertScope;
+    }
+
+    DECLARE_INFO;
+
+    template<typename CellType, SubspaceAccess>
+    static CompleteSubspace* subspaceFor(VM& vm)
+    {
+        return &vm.cellSpace();
+    }
+
+    static Structure* createStructure(VM& vm, JSGlobalObject* globalObject, JSValue prototype)
+    {
+        DollarVMAssertScope assertScope;
+        return Structure::create(vm, globalObject, prototype, TypeInfo(ObjectType, StructureFlags), info());
+    }
+
+    static StaticDontDeleteDontEnum* create(VM& vm, Structure* structure)
+    {
+        DollarVMAssertScope assertScope;
+        StaticDontDeleteDontEnum* result = new (NotNull, allocateCell<StaticDontDeleteDontEnum>(vm)) StaticDontDeleteDontEnum(vm, structure);
+        result->finishCreation(vm);
+        return result;
+    }
+};
+
+JSC_DEFINE_HOST_FUNCTION(staticDontDeleteDontEnumMethod, (JSGlobalObject*, CallFrame*))
+{
+    DollarVMAssertScope assertScope;
+    return encodedJSUndefined();
+}
+
+static const struct CompactHashIndex staticDontDeleteDontEnumTableIndex[8] = {
+    { 0, -1 },
+    { 1, -1 },
+    { -1, -1 },
+    { -1, -1 },
+    { -1, -1 },
+    { 2, -1 },
+    { -1, -1 },
+    { -1, -1 },
+};
+
+static const struct HashTableValue staticDontDeleteDontEnumTableValues[3] = {
+   { "dontEnum"_s, static_cast<unsigned>(PropertyAttribute::Function|PropertyAttribute::DontEnum), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(staticDontDeleteDontEnumMethod), (intptr_t)(0) } },
+   { "dontDelete"_s, static_cast<unsigned>(PropertyAttribute::Function|PropertyAttribute::DontDelete), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(staticDontDeleteDontEnumMethod), (intptr_t)(0) } },
+   { "dontDeleteDontEnum"_s, static_cast<unsigned>(PropertyAttribute::Function|PropertyAttribute::DontDelete|PropertyAttribute::DontEnum), NoIntrinsic, { (intptr_t)static_cast<RawNativeFunction>(staticDontDeleteDontEnumMethod), (intptr_t)(0) } },
+};
+
+static const struct HashTable staticDontDeleteDontEnumTable =
+    { 3, 7, false, nullptr, staticDontDeleteDontEnumTableValues, staticDontDeleteDontEnumTableIndex };
+
 class ObjectDoingSideEffectPutWithoutCorrectSlotStatus : public JSNonFinalObject {
     using Base = JSNonFinalObject;
@@ -1804 +1866 @@
 const ClassInfo StaticCustomAccessor::s_info = { "StaticCustomAccessor"_s, &Base::s_info, &staticCustomAccessorTable, nullptr, CREATE_METHOD_TABLE(StaticCustomAccessor) };
 const ClassInfo StaticCustomValue::s_info = { "StaticCustomValue"_s, &Base::s_info, &staticCustomValueTable, nullptr, CREATE_METHOD_TABLE(StaticCustomValue) };
+const ClassInfo StaticDontDeleteDontEnum::s_info = { "StaticDontDeleteDontEnum"_s, &Base::s_info, &staticDontDeleteDontEnumTable, nullptr, CREATE_METHOD_TABLE(StaticDontDeleteDontEnum) };
 const ClassInfo ObjectDoingSideEffectPutWithoutCorrectSlotStatus::s_info = { "ObjectDoingSideEffectPutWithoutCorrectSlotStatus"_s, &Base::s_info, &staticCustomAccessorTable, nullptr, CREATE_METHOD_TABLE(ObjectDoingSideEffectPutWithoutCorrectSlotStatus) };
 
@@ -2080 +2143 @@
 static JSC_DECLARE_HOST_FUNCTION(functionCreateStaticCustomAccessor);
 static JSC_DECLARE_HOST_FUNCTION(functionCreateStaticCustomValue);
+static JSC_DECLARE_HOST_FUNCTION(functionCreateStaticDontDeleteDontEnum);
 static JSC_DECLARE_HOST_FUNCTION(functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus);
 static JSC_DECLARE_HOST_FUNCTION(functionCreateEmptyFunctionWithName);
@@ -3082 +3146 @@
 }
 
+JSC_DEFINE_HOST_FUNCTION(functionCreateStaticDontDeleteDontEnum, (JSGlobalObject* globalObject, CallFrame*))
+{
+    DollarVMAssertScope assertScope;
+    VM& vm = globalObject->vm();
+    JSLockHolder lock(vm);
+    Structure* structure = StaticDontDeleteDontEnum::createStructure(vm, globalObject, jsNull());
+    auto* result = StaticDontDeleteDontEnum::create(vm, structure);
+    return JSValue::encode(result);
+}
+
 JSC_DEFINE_HOST_FUNCTION(functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus, (JSGlobalObject* globalObject, CallFrame* callFrame))
 {
@@ -3928 +4002 @@
     addFunction(vm, "createStaticCustomAccessor"_s, functionCreateStaticCustomAccessor, 0);
     addFunction(vm, "createStaticCustomValue"_s, functionCreateStaticCustomValue, 0);
+    addFunction(vm, "createStaticDontDeleteDontEnum"_s, functionCreateStaticDontDeleteDontEnum, 0);
     addFunction(vm, "createObjectDoingSideEffectPutWithoutCorrectSlotStatus"_s, functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus, 0);
     addFunction(vm, "createEmptyFunctionWithName"_s, functionCreateEmptyFunctionWithName, 1);