Changeset 44171 in webkit for trunk/JavaScriptCore/jit/JITStubs.cpp

Timestamp:

May 26, 2009, 7:47:35 PM (16 years ago)

Author:

[email protected]

Message:

2009-05-26 Gavin Barraclough <​[email protected]>

Reviewed by Oliver Hunt.

Fix for: <rdar://problem/6918095> REGRESSION: jQuery load() issue (25981),
and also an ASSERT failure on ​http://ihasahotdog.com/.

When overwriting a property on a dictionary with a cached specific value,
clear the cache if new value being written is different.

• JavaScriptCore.exp:

Export the new symbols.

• jit/JITStubs.cpp: (JSC::JITStubs::cti_op_get_by_id_method_check_second):

Close dictionary prototypes upon caching a method access, as would happen when caching
a regular get_by_id.

• runtime/JSObject.h: (JSC::JSObject::propertyStorage): (JSC::JSObject::locationForOffset):

Make these methods private.

(JSC::JSObject::putDirectInternal):

When overwriting a property on a dictionary with a cached specific value,
clear the cache if new value being written is different.

• runtime/Structure.cpp: (JSC::Structure::despecifyDictionaryFunction):

Reset the specific value field for a given property in a dictionary.

(JSC::Structure::despecifyFunctionTransition):

Rename of 'changeFunctionTransition' (this was already internally refered to as a despecification).

• runtime/Structure.h:

Declare new method.

File:

• trunk/JavaScriptCore/jit/JITStubs.cpp (modified) (2 diffs)

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -733 +733 @@
     Structure* structure;
     JSCell* specific;
+    JSObject* slotBaseObject;
     if (baseValue.isCell()
         && slot.isCacheable()
         && !(structure = asCell(baseValue)->structure())->isDictionary()
-        && asObject(slot.slotBase())->getPropertySpecificValue(callFrame, ident, specific)
+        && (slotBaseObject = asObject(slot.slotBase()))->getPropertySpecificValue(callFrame, ident, specific)
         && specific
         ) {
 
         JSFunction* callee = (JSFunction*)specific;
+
+        // Since we're accessing a prototype in a loop, it's a good bet that it
+        // should not be treated as a dictionary.
+        if (slotBaseObject->structure()->isDictionary())
+            slotBaseObject->setStructure(Structure::fromDictionaryTransition(slotBaseObject->structure()));
 
         // The result fetched should always be the callee!
@@ -748 +754 @@
         // Check to see if the function is on the object's prototype.  Patch up the code to optimize.
         if (slot.slotBase() == structure->prototypeForLookup(callFrame))
-            JIT::patchMethodCallProto(methodCallLinkInfo, callee, structure, asObject(slot.slotBase()));
+            JIT::patchMethodCallProto(methodCallLinkInfo, callee, structure, slotBaseObject);
         // Check to see if the function is on the object itself.
         // Since we generate the method-check to check both the structure and a prototype-structure (since this