[webkit-changes] [224416] trunk/Source/JavaScriptCore

[keith_miller]

Title: [224416] trunk/Source/_javascript_Core

Revision

224416

Author

keith_mil...@apple.com

Date

2017-11-03 12:57:01 -0700 (Fri, 03 Nov 2017)

Log Message

PutProperytSlot should inform the IC about the property before effects.
https://bugs.webkit.org/show_bug.cgi?id=179262

Reviewed by Mark Lam.

This patch fixes an issue where we choose to cache setters based on
incorrect information. If we did so we might end up OSR exiting
more than we would otherwise need to. The new model is that the
PutPropertySlot should inform the IC of what the property looked
like before any potential side effects might have occurred.

* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):
* runtime/Lookup.h:
(JSC::putEntry):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSObject.cpp
• trunk/Source/_javascript_Core/runtime/Lookup.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (224415 => 224416)

--- trunk/Source/_javascript_Core/ChangeLog	2017-11-03 19:40:12 UTC (rev 224415)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-03 19:57:01 UTC (rev 224416)
@@ -1,3 +1,21 @@
+2017-11-03  Keith Miller  <keith_mil...@apple.com>
+
+        PutProperytSlot should inform the IC about the property before effects.
+        https://bugs.webkit.org/show_bug.cgi?id=179262
+
+        Reviewed by Mark Lam.
+
+        This patch fixes an issue where we choose to cache setters based on
+        incorrect information. If we did so we might end up OSR exiting
+        more than we would otherwise need to. The new model is that the
+        PutPropertySlot should inform the IC of what the property looked
+        like before any potential side effects might have occurred.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+        * runtime/Lookup.h:
+        (JSC::putEntry):
+
 2017-11-03  Mark Lam  <mark....@apple.com>
 
         CachedCall (and its clients) needs overflow checks.

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (224415 => 224416)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2017-11-03 19:40:12 UTC (rev 224415)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2017-11-03 19:57:01 UTC (rev 224416)
@@ -776,19 +776,23 @@
 
             JSValue gs = obj->getDirect(offset);
             if (gs.isGetterSetter()) {
+                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
+                if (!structure()->isDictionary())
+                    slot.setCacheableSetter(obj, offset);
+
                 bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
                 RETURN_IF_EXCEPTION(scope, false);
-                if (!structure()->isDictionary())
-                    slot.setCacheableSetter(obj, offset);
                 return result;
             }
             if (gs.isCustomGetterSetter()) {
-                bool result = callCustomSetter(exec, gs, attributes & PropertyAttribute::CustomAccessor, obj, slot.thisValue(), value);
-                RETURN_IF_EXCEPTION(scope, false);
+                // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
                 if (attributes & PropertyAttribute::CustomAccessor)
                     slot.setCustomAccessor(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
                 else
                     slot.setCustomValue(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
+
+                bool result = callCustomSetter(exec, gs, attributes & PropertyAttribute::CustomAccessor, obj, slot.thisValue(), value);
+                RETURN_IF_EXCEPTION(scope, false);
                 return result;
             }
             ASSERT(!(attributes & PropertyAttribute::Accessor));

Modified: trunk/Source/_javascript_Core/runtime/Lookup.h (224415 => 224416)

--- trunk/Source/_javascript_Core/runtime/Lookup.h	2017-11-03 19:40:12 UTC (rev 224415)
+++ trunk/Source/_javascript_Core/runtime/Lookup.h	2017-11-03 19:57:01 UTC (rev 224416)
@@ -289,12 +289,14 @@
         ASSERT_WITH_MESSAGE(!(entry->attributes() & PropertyAttribute::DOMJITAttribute), "DOMJITAttribute supports readonly attributes currently.");
         bool isAccessor = entry->attributes() & PropertyAttribute::CustomAccessor;
         JSValue updateThisValue = entry->attributes() & PropertyAttribute::CustomAccessor ? slot.thisValue() : JSValue(base);
-        bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
-        RETURN_IF_EXCEPTION(scope, false);
+        // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
         if (isAccessor)
             slot.setCustomAccessor(base, entry->propertyPutter());
         else
             slot.setCustomValue(base, entry->propertyPutter());
+
+        bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+        RETURN_IF_EXCEPTION(scope, false);
         return result;
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes