Ignore:
Timestamp:
Nov 2, 2009, 10:49:42 PM (16 years ago)
Author:
[email protected]
Message:

REGRESSION (r48573): JSC may incorrectly cache chain lookups with a dictionary at the head of the chain
https://bugs.webkit.org/show_bug.cgi?id=31045

Reviewed by Gavin Barraclough.

Add guards to prevent caching of prototype chain lookups with dictionaries at the
head of the chain. Also add a few tighter assertions to cached prototype lookups
to catch this in future.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/interpreter/Interpreter.cpp

    r50254 r50443  
    10301030    }
    10311031
     1032    if (structure->isDictionary()) {
     1033        vPC[0] = getOpcode(op_get_by_id_generic);
     1034        return;
     1035    }
     1036
    10321037    if (slot.slotBase() == structure->prototypeForLookup(callFrame)) {
    10331038        ASSERT(slot.slotBase().isObject());
     
    10391044        if (baseObject->structure()->isDictionary())
    10401045            baseObject->setStructure(Structure::fromDictionaryTransition(baseObject->structure()));
     1046
     1047        ASSERT(!baseObject->structure()->isUncacheableDictionary());
    10411048
    10421049        vPC[0] = getOpcode(op_get_by_id_proto);
     
    21352142
    21362143                    ASSERT(protoObject->get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == protoObject->getDirectOffset(offset));
     2144                    ASSERT(baseValue.get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == protoObject->getDirectOffset(offset));
    21372145                    callFrame->r(dst) = JSValue(protoObject->getDirectOffset(offset));
    21382146
     
    21902198
    21912199                        ASSERT(baseObject->get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
     2200                        ASSERT(baseValue.get(callFrame, callFrame->codeBlock()->identifier(vPC[3].u.operand)) == baseObject->getDirectOffset(offset));
    21922201                        callFrame->r(dst) = JSValue(baseObject->getDirectOffset(offset));
    21932202
Note: See TracChangeset for help on using the changeset viewer.