[webkit-changes] [226102] releases/WebKitGTK/webkit-2.18/Source/JavaScriptCore

[carlosgc]

Title: [226102] releases/WebKitGTK/webkit-2.18/Source/_javascript_Core

Revision

226102

Author

carlo...@webkit.org

Date

2017-12-18 23:12:37 -0800 (Mon, 18 Dec 2017)

Log Message

Merge r224416 - PutProperytSlot should inform the IC about the property before effects.
https://bugs.webkit.org/show_bug.cgi?id=179262

Reviewed by Mark Lam.

This patch fixes an issue where we choose to cache setters based on
incorrect information. If we did so we might end up OSR exiting
more than we would otherwise need to. The new model is that the
PutPropertySlot should inform the IC of what the property looked
like before any potential side effects might have occurred.

* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/Lookup.h:
(JSC::putEntry):

Modified Paths

• releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSObject.cpp
• releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/Lookup.h

Diff

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (226101 => 226102)

--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-12-19 06:46:21 UTC (rev 226101)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-12-19 07:12:37 UTC (rev 226102)
@@ -1,3 +1,21 @@
+2017-11-03  Keith Miller  <keith_mil...@apple.com>
+
+        PutProperytSlot should inform the IC about the property before effects.
+        https://bugs.webkit.org/show_bug.cgi?id=179262
+
+        Reviewed by Mark Lam.
+
+        This patch fixes an issue where we choose to cache setters based on
+        incorrect information. If we did so we might end up OSR exiting
+        more than we would otherwise need to. The new model is that the
+        PutPropertySlot should inform the IC of what the property looked
+        like before any potential side effects might have occurred.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+
 2017-10-19  Mark Lam  <mark....@apple.com>
 
         Stringifier::appendStringifiedValue() is missing an exception check.

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSObject.cpp (226101 => 226102)

--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSObject.cpp	2017-12-19 06:46:21 UTC (rev 226101)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/JSObject.cpp	2017-12-19 07:12:37 UTC (rev 226102)
@@ -771,17 +771,23 @@
 
             JSValue gs = obj->getDirect(offset);
             if (gs.isGetterSetter()) {
-                bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
                 if (!structure()->isDictionary())
                     slot.setCacheableSetter(obj, offset);
+
+                bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+                RETURN_IF_EXCEPTION(scope, false);
                 return result;
             }
             if (gs.isCustomGetterSetter()) {
-                bool result = callCustomSetter(exec, gs, attributes & CustomAccessor, obj, slot.thisValue(), value);
+                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
                 if (attributes & CustomAccessor)
                     slot.setCustomAccessor(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
                 else
                     slot.setCustomValue(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
+
+                bool result = callCustomSetter(exec, gs, attributes & CustomAccessor, obj, slot.thisValue(), value);
+                RETURN_IF_EXCEPTION(scope, false);
                 return result;
             }
             ASSERT(!(attributes & Accessor));

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/Lookup.h (226101 => 226102)

--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/Lookup.h	2017-12-19 06:46:21 UTC (rev 226101)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/runtime/Lookup.h	2017-12-19 07:12:37 UTC (rev 226102)
@@ -289,11 +289,14 @@
         ASSERT_WITH_MESSAGE(!(entry->attributes() & DOMJITAttribute), "DOMJITAttribute supports readonly attributes currently.");
         bool isAccessor = entry->attributes() & CustomAccessor;
         JSValue updateThisValue = entry->attributes() & CustomAccessor ? slot.thisValue() : JSValue(base);
-        bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+        // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
         if (isAccessor)
             slot.setCustomAccessor(base, entry->propertyPutter());
         else
             slot.setCustomValue(base, entry->propertyPutter());
+
+        bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+        RETURN_IF_EXCEPTION(scope, false);
         return result;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes