[webkit-changes] [225423] trunk

[sbarati]

Title: [225423] trunk

Revision

225423

Author

sbar...@apple.com

Date

2017-12-01 15:40:13 -0800 (Fri, 01 Dec 2017)

Log Message

Having a bad time needs to handle ArrayClass indexing type as well
https://bugs.webkit.org/show_bug.cgi?id=180274
<rdar://problem/35667869>

Reviewed by Keith Miller and Mark Lam.

JSTests:

* stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
(assert):
* stress/array-prototype-slow-put-having-a-bad-time.js: Added.
(assert):

Source/_javascript_Core:

We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
Otherwise, we'll end up with the wrong Structure, which will lead us to not
adhere to the spec. The bug was that we were not considering ArrayClass inside
hasBrokenIndexing. This patch rewrites that function to automatically opt
in non-empty indexing types as broken, instead of having to opt out all
non-empty indexing types besides SlowPutArrayStorage.

* runtime/IndexingType.h:
(JSC::hasSlowPutArrayStorage):
(JSC::shouldUseSlowPut):
* runtime/JSGlobalObject.cpp:
* runtime/JSObject.cpp:
(JSC::JSObject::switchToSlowPutArrayStorage):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/IndexingType.h
• trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp
• trunk/Source/_javascript_Core/runtime/JSObject.cpp

Added Paths

• trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time-2.js
• trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time.js

Diff

Modified: trunk/JSTests/ChangeLog (225422 => 225423)

--- trunk/JSTests/ChangeLog	2017-12-01 23:36:41 UTC (rev 225422)
+++ trunk/JSTests/ChangeLog	2017-12-01 23:40:13 UTC (rev 225423)
@@ -1,3 +1,16 @@
+2017-12-01  Saam Barati  <sbar...@apple.com>
+
+        Having a bad time needs to handle ArrayClass indexing type as well
+        https://bugs.webkit.org/show_bug.cgi?id=180274
+        <rdar://problem/35667869>
+
+        Reviewed by Keith Miller and Mark Lam.
+
+        * stress/array-prototype-slow-put-having-a-bad-time-2.js: Added.
+        (assert):
+        * stress/array-prototype-slow-put-having-a-bad-time.js: Added.
+        (assert):
+
 2017-12-01  JF Bastien  <jfbast...@apple.com>
 
         WebAssembly: restore cached stack limit after out-call

Added: trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time-2.js (0 => 225423)

--- trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time-2.js	                        (rev 0)
+++ trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time-2.js	2017-12-01 23:40:13 UTC (rev 225423)
@@ -0,0 +1,14 @@
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+let result;
+Object.defineProperty(Object.prototype, '1', {
+    get() { return result; },
+    set(x) { result = x; }
+});
+Array.prototype.length = 0x10000000;
+Array.prototype[1] = 42;
+assert(result === 42);
+assert(Array.prototype[1] === 42);

Added: trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time.js (0 => 225423)

--- trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time.js	                        (rev 0)
+++ trunk/JSTests/stress/array-prototype-slow-put-having-a-bad-time.js	2017-12-01 23:40:13 UTC (rev 225423)
@@ -0,0 +1,15 @@
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+let result;
+Object.defineProperty(Object.prototype, '1', {
+    get() { return result; },
+    set(x) { result = x; }
+});
+
+Array.prototype.length = 5;
+Array.prototype[1] = 42;
+assert(result === 42);
+assert(Array.prototype[1] === 42);

Modified: trunk/Source/_javascript_Core/ChangeLog (225422 => 225423)

--- trunk/Source/_javascript_Core/ChangeLog	2017-12-01 23:36:41 UTC (rev 225422)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-12-01 23:40:13 UTC (rev 225423)
@@ -1,3 +1,25 @@
+2017-12-01  Saam Barati  <sbar...@apple.com>
+
+        Having a bad time needs to handle ArrayClass indexing type as well
+        https://bugs.webkit.org/show_bug.cgi?id=180274
+        <rdar://problem/35667869>
+
+        Reviewed by Keith Miller and Mark Lam.
+
+        We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
+        Otherwise, we'll end up with the wrong Structure, which will lead us to not
+        adhere to the spec. The bug was that we were not considering ArrayClass inside 
+        hasBrokenIndexing. This patch rewrites that function to automatically opt
+        in non-empty indexing types as broken, instead of having to opt out all
+        non-empty indexing types besides SlowPutArrayStorage.
+
+        * runtime/IndexingType.h:
+        (JSC::hasSlowPutArrayStorage):
+        (JSC::shouldUseSlowPut):
+        * runtime/JSGlobalObject.cpp:
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::switchToSlowPutArrayStorage):
+
 2017-12-01  JF Bastien  <jfbast...@apple.com>
 
         WebAssembly: stack trace improvement follow-ups

Modified: trunk/Source/_javascript_Core/runtime/IndexingType.h (225422 => 225423)

--- trunk/Source/_javascript_Core/runtime/IndexingType.h	2017-12-01 23:36:41 UTC (rev 225422)
+++ trunk/Source/_javascript_Core/runtime/IndexingType.h	2017-12-01 23:40:13 UTC (rev 225423)
@@ -153,11 +153,16 @@
     return static_cast<uint8_t>(indexingType & IndexingShapeMask) >= ArrayStorageShape;
 }
 
-static inline bool shouldUseSlowPut(IndexingType indexingType)
+static inline bool hasSlowPutArrayStorage(IndexingType indexingType)
 {
     return (indexingType & IndexingShapeMask) == SlowPutArrayStorageShape;
 }
 
+static inline bool shouldUseSlowPut(IndexingType indexingType)
+{
+    return hasSlowPutArrayStorage(indexingType);
+}
+
 inline IndexingType indexingTypeForValue(JSValue value)
 {
     if (value.isInt32())

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (225422 => 225423)

--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2017-12-01 23:36:41 UTC (rev 225422)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp	2017-12-01 23:40:13 UTC (rev 225423)
@@ -1123,11 +1123,8 @@
 
 inline bool hasBrokenIndexing(JSObject* object)
 {
-    // This will change if we have more indexing types.
     IndexingType type = object->indexingType();
-    // This could be made obviously more efficient, but isn't made so right now, because
-    // we expect this to be an unlikely slow path anyway.
-    return hasUndecided(type) || hasInt32(type) || hasDouble(type) || hasContiguous(type) || hasArrayStorage(type);
+    return type && !hasSlowPutArrayStorage(type);
 }
 
 inline void ObjectsWithBrokenIndexingFinder::visit(JSCell* cell)

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (225422 => 225423)

--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2017-12-01 23:36:41 UTC (rev 225422)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2017-12-01 23:40:13 UTC (rev 225423)
@@ -1603,6 +1603,14 @@
 void JSObject::switchToSlowPutArrayStorage(VM& vm)
 {
     switch (indexingType()) {
+    case ArrayClass:
+        ensureArrayStorage(vm);
+        RELEASE_ASSERT(hasAnyArrayStorage(indexingType()));
+        if (hasSlowPutArrayStorage(indexingType()))
+            return;
+        switchToSlowPutArrayStorage(vm);
+        break;
+
     case ALL_UNDECIDED_INDEXING_TYPES:
         convertUndecidedToArrayStorage(vm, NonPropertyTransition::AllocateSlowPutArrayStorage);
         break;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes