Title: [259357] trunk
- Revision
- 259357
- Author
- commit-qu...@webkit.org
- Date
- 2020-04-01 12:10:20 -0700 (Wed, 01 Apr 2020)
Log Message
Delete IC incorrectly caches for proxies
https://bugs.webkit.org/show_bug.cgi?id=209777
Patch by Justin Michaud <jus...@justinmichaud.com> on 2020-04-01
Reviewed by Mark Lam.
JSTests:
* stress/delete-property-ic-proxy.js: Added.
(obj1.this.foo1):
(foo1.foo2):
(foo1):
(foo2.foo3):
(foo2):
* stress/delete-property-inline-cache.js:
Source/_javascript_Core:
Proxy's do not change their structure ID when properties are added, so we cannot cache deletes
for them.
* jit/Repatch.cpp:
(JSC::tryCacheDeleteBy):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (259356 => 259357)
--- trunk/JSTests/ChangeLog 2020-04-01 18:47:51 UTC (rev 259356)
+++ trunk/JSTests/ChangeLog 2020-04-01 19:10:20 UTC (rev 259357)
@@ -1,3 +1,18 @@
+2020-04-01 Justin Michaud <jus...@justinmichaud.com>
+
+ Delete IC incorrectly caches for proxies
+ https://bugs.webkit.org/show_bug.cgi?id=209777
+
+ Reviewed by Mark Lam.
+
+ * stress/delete-property-ic-proxy.js: Added.
+ (obj1.this.foo1):
+ (foo1.foo2):
+ (foo1):
+ (foo2.foo3):
+ (foo2):
+ * stress/delete-property-inline-cache.js:
+
2020-04-01 Paulo Matos <pma...@igalia.com>
[JSC] Reenable non-cloop LLint, JIT and DFG on 32-bit platforms
Added: trunk/JSTests/stress/delete-property-ic-proxy.js (0 => 259357)
--- trunk/JSTests/stress/delete-property-ic-proxy.js (rev 0)
+++ trunk/JSTests/stress/delete-property-ic-proxy.js 2020-04-01 19:10:20 UTC (rev 259357)
@@ -0,0 +1,40 @@
+//@ requireOptions("--jitPolicyScale=0", "--useDFGJIT=0")
+
+{
+ var obj1 = this
+ function foo1() {
+ for (let i = 0; i < 5; ++i)
+ delete obj1.x
+ }
+ noInline(foo1)
+
+ foo1()
+ Object.defineProperty(obj1, "x", {})
+ foo1()
+}
+
+{
+ var obj2 = new Proxy({}, {})
+ function foo2() {
+ for (let i = 0; i < 5; ++i)
+ delete obj2.x
+ }
+ noInline(foo2)
+
+ foo2()
+ Object.defineProperty(obj2, "x", {})
+ foo2()
+}
+
+{
+ var obj3 = $vm.createProxy({})
+ function foo3() {
+ for (let i = 0; i < 5; ++i)
+ delete obj3.x
+ }
+ noInline(foo3)
+
+ foo3()
+ Object.defineProperty(obj3, "x", {})
+ foo3()
+}
\ No newline at end of file
Modified: trunk/JSTests/stress/delete-property-inline-cache.js (259356 => 259357)
--- trunk/JSTests/stress/delete-property-inline-cache.js 2020-04-01 18:47:51 UTC (rev 259356)
+++ trunk/JSTests/stress/delete-property-inline-cache.js 2020-04-01 19:10:20 UTC (rev 259357)
@@ -1,4 +1,4 @@
-//@ runDefault("--useBigInt=true")
+//@ requireOptions("--useBigInt=1")
function assert(condition) {
if (!condition)
Modified: trunk/Source/_javascript_Core/ChangeLog (259356 => 259357)
--- trunk/Source/_javascript_Core/ChangeLog 2020-04-01 18:47:51 UTC (rev 259356)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-04-01 19:10:20 UTC (rev 259357)
@@ -1,3 +1,16 @@
+2020-04-01 Justin Michaud <jus...@justinmichaud.com>
+
+ Delete IC incorrectly caches for proxies
+ https://bugs.webkit.org/show_bug.cgi?id=209777
+
+ Reviewed by Mark Lam.
+
+ Proxy's do not change their structure ID when properties are added, so we cannot cache deletes
+ for them.
+
+ * jit/Repatch.cpp:
+ (JSC::tryCacheDeleteBy):
+
2020-04-01 Keith Miller <keith_mil...@apple.com>
Bindings that override getOwnPropertySlotByIndex need to say they MayHaveIndexedAccessors
Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (259356 => 259357)
--- trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-04-01 18:47:51 UTC (rev 259356)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-04-01 19:10:20 UTC (rev 259357)
@@ -750,7 +750,7 @@
return GiveUpOnCache;
ASSERT(oldStructure);
- if (!baseValue.isObject() || !oldStructure->propertyAccessesAreCacheable())
+ if (!baseValue.isObject() || !oldStructure->propertyAccessesAreCacheable() || oldStructure->isProxy())
return GiveUpOnCache;
if (!slot.isCacheableDelete())
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes