Changeset 39374 in webkit for trunk/JavaScriptCore/interpreter/Interpreter.cpp

Timestamp:

Dec 18, 2008, 9:45:44 AM (16 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2008-12-17 Geoffrey Garen <​[email protected]>

Reviewed by Gavin Barraclough.

Fixed ​https://bugs.webkit.org/show_bug.cgi?id=22393
Segfault when caching property accesses to primitive cells.

Changed some asObject casts to asCell casts in cases where a primitive
value may be a cell and not an object.

Re-enabled property caching for primitives in cases where it had been
disabled because of this bug.

Updated a comment to better explain something Darin thought needed
explaining in an old patch review.

• interpreter/Interpreter.cpp: (JSC::countPrototypeChainEntriesAndCheckForProxies): (JSC::Interpreter::tryCacheGetByID): (JSC::Interpreter::tryCTICacheGetByID): (JSC::Interpreter::cti_op_get_by_id_self_fail): (JSC::Interpreter::cti_op_get_by_id_proto_list):

LayoutTests:

2008-12-17 Geoffrey Garen <​[email protected]>

Reviewed by Gavin Barraclough.

Added a test for ​https://bugs.webkit.org/show_bug.cgi?id=22393
Segfault when caching property accesses to primitive cells.

• fast/js/primitive-property-access-edge-cases-expected.txt: Added.
• fast/js/primitive-property-access-edge-cases.html: Added.
• fast/js/resources/primitive-property-access-edge-cases.js: Added. ():

File:

• trunk/JavaScriptCore/interpreter/Interpreter.cpp (modified) (7 diffs)

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -1315 +1315 @@
 static size_t countPrototypeChainEntriesAndCheckForProxies(CallFrame* callFrame, JSValue* baseValue, const PropertySlot& slot)
 {
-    JSObject* o = asObject(baseValue);
+    JSCell* cell = asCell(baseValue);
     size_t count = 0;
 
-    while (slot.slotBase() != o) {
-        JSValue* v = o->structure()->prototypeForLookup(callFrame);
+    while (slot.slotBase() != cell) {
+        JSValue* v = cell->structure()->prototypeForLookup(callFrame);
 
         // If we didn't find slotBase in baseValue's prototype chain, then baseValue
@@ -1327 +1327 @@
             return 0;
 
-        o = asObject(v);
-
-        // Heavy access to a prototype is a good indication that it's not being
-        // used as a dictionary.
-        if (o->structure()->isDictionary()) {
-            RefPtr<Structure> transition = Structure::fromDictionaryTransition(o->structure());
-            o->setStructure(transition.release());
-            asObject(baseValue)->structure()->setCachedPrototypeChain(0);
+        cell = asCell(v);
+
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
+        if (cell->structure()->isDictionary()) {
+            RefPtr<Structure> transition = Structure::fromDictionaryTransition(cell->structure());
+            asObject(cell)->setStructure(transition.release());
+            cell->structure()->setCachedPrototypeChain(0);
         }
 
@@ -1408 +1408 @@
         JSObject* baseObject = asObject(slot.slotBase());
 
-        // Heavy access to a prototype is a good indication that it's not being
-        // used as a dictionary.
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
         if (baseObject->structure()->isDictionary()) {
             RefPtr<Structure> transition = Structure::fromDictionaryTransition(baseObject->structure());
@@ -4179 +4179 @@
         JSObject* slotBaseObject = asObject(slot.slotBase());
 
-        // Heavy access to a prototype is a good indication that it's not being
-        // used as a dictionary.
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
         if (slotBaseObject->structure()->isDictionary()) {
             RefPtr<Structure> transition = Structure::fromDictionaryTransition(slotBaseObject->structure());
             slotBaseObject->setStructure(transition.release());
-            asObject(baseValue)->structure()->setCachedPrototypeChain(0);
+            asCell(baseValue)->structure()->setCachedPrototypeChain(0);
         }
         
@@ -4555 +4555 @@
     CHECK_FOR_EXCEPTION();
 
-    if (baseValue->isObject()
+    if (!JSImmediate::isImmediate(baseValue)
         && slot.isCacheable()
         && !asCell(baseValue)->structure()->isDictionary()
@@ -4629 +4629 @@
     CHECK_FOR_EXCEPTION();
 
-    if (!baseValue->isObject() || !slot.isCacheable() || asCell(baseValue)->structure()->isDictionary()) {
+    if (JSImmediate::isImmediate(baseValue) || !slot.isCacheable() || asCell(baseValue)->structure()->isDictionary()) {
         ctiRepatchCallByReturnAddress(CTI_RETURN_ADDRESS, reinterpret_cast<void*>(cti_op_get_by_id_proto_fail));
         return result;
@@ -4644 +4644 @@
         ctiRepatchCallByReturnAddress(CTI_RETURN_ADDRESS, reinterpret_cast<void*>(cti_op_get_by_id_proto_fail));
     else if (slot.slotBase() == asCell(baseValue)->structure()->prototypeForLookup(callFrame)) {
-        // Heavy access to a prototype is a good indication that it's not being
-        // used as a dictionary.
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
         if (slotBaseObject->structure()->isDictionary()) {
             RefPtr<Structure> transition = Structure::fromDictionaryTransition(slotBaseObject->structure());
             slotBaseObject->setStructure(transition.release());
-            asObject(baseValue)->structure()->setCachedPrototypeChain(0);
+            asCell(baseValue)->structure()->setCachedPrototypeChain(0);
         }