Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (226850 => 226851)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-01-12 04:52:23 UTC (rev 226850)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-01-12 04:52:26 UTC (rev 226851)
@@ -1,3 +1,17 @@
+2018-01-11 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r226650. rdar://problem/36429150
+
+ 2018-01-09 Mark Lam <mark....@apple.com>
+
+ ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
+ https://bugs.webkit.org/show_bug.cgi?id=181388
+ <rdar://problem/36349351>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-181388.js: Added.
+
2018-01-09 Jason Marcell <jmarc...@apple.com>
Cherry-pick r226615. rdar://problem/36392328
Added: branches/safari-605-branch/JSTests/stress/regress-181388.js (0 => 226851)
--- branches/safari-605-branch/JSTests/stress/regress-181388.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/regress-181388.js 2018-01-12 04:52:26 UTC (rev 226851)
@@ -0,0 +1,71 @@
+function assert(x) {
+ if (!x)
+ throw "FAIL";
+}
+
+(function() {
+ var trace = [];
+
+ var foo = {
+ value: 5,
+ get bar() {
+ trace.push("get");
+ return this.value;
+ },
+ set bar(x) {
+ throw "Should not be reached";
+ },
+ set bar(x) {
+ trace.push("set2");
+ this.value = x + 10000;
+ return this.value;
+ }
+ }
+
+ assert(foo.value == 5);
+ assert(trace == "");
+ assert(foo.bar == 5);
+ assert(trace == "get");
+
+ foo.bar = 20;
+ assert(trace == "get,set2");
+
+ assert(foo.value == 10020);
+ assert(trace == "get,set2");
+ assert(foo.bar == 10020);
+ assert(trace == "get,set2,get");
+})();
+
+(function() {
+ var trace = [];
+
+ var foo = {
+ value: 5,
+ set bar(x) {
+ trace.push("set");
+ this.value = x;
+ return this.value;
+ },
+ get bar() {
+ throw "Should not be reached";
+ },
+ get bar() {
+ trace.push("get2");
+ this.value += 10000;
+ return this.value;
+ },
+ }
+
+ assert(foo.value == 5);
+ assert(trace == "");
+ assert(foo.bar == 10005);
+ assert(trace == "get2");
+
+ foo.bar = 20;
+ assert(trace == "get2,set");
+
+ assert(foo.value == 20);
+ assert(trace == "get2,set");
+ assert(foo.bar == 10020);
+ assert(trace == "get2,set,get2");
+})();
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (226850 => 226851)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-01-12 04:52:23 UTC (rev 226850)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-01-12 04:52:26 UTC (rev 226851)
@@ -1,3 +1,27 @@
+2018-01-11 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r226650. rdar://problem/36429150
+
+ 2018-01-09 Mark Lam <mark....@apple.com>
+
+ ASSERTION FAILED: pair.second->m_type & PropertyNode::Getter
+ https://bugs.webkit.org/show_bug.cgi?id=181388
+ <rdar://problem/36349351>
+
+ Reviewed by Saam Barati.
+
+ When there are duplicate setters or getters, we may end up overwriting a getter
+ with a setter, or vice versa. This patch adds tracking for getters/setters that
+ have been overwritten with duplicates and ignore them.
+
+ * bytecompiler/NodesCodegen.cpp:
+ (JSC::PropertyListNode::emitBytecode):
+ * parser/NodeConstructors.h:
+ (JSC::PropertyNode::PropertyNode):
+ * parser/Nodes.h:
+ (JSC::PropertyNode::isOverriddenByDuplicate const):
+ (JSC::PropertyNode::setIsOverriddenByDuplicate):
+
2018-01-09 Jason Marcell <jmarc...@apple.com>
Cherry-pick r226672. rdar://problem/36397330
Modified: branches/safari-605-branch/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp (226850 => 226851)
--- branches/safari-605-branch/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-01-12 04:52:23 UTC (rev 226850)
+++ branches/safari-605-branch/Source/_javascript_Core/bytecompiler/NodesCodegen.cpp 2018-01-12 04:52:26 UTC (rev 226851)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2002 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
-* Copyright (C) 2003-2017 Apple Inc. All rights reserved.
+* Copyright (C) 2003-2018 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich (cwzwar...@uwaterloo.ca)
* Copyright (C) 2007 Maks Orlovich
* Copyright (C) 2007 Eric Seidel <e...@webkit.org>
@@ -539,11 +539,16 @@
// Duplicates are possible.
GetterSetterPair pair(node, static_cast<PropertyNode*>(nullptr));
GetterSetterMap::AddResult result = map.add(node->name()->impl(), pair);
+ auto& resultPair = result.iterator->value;
if (!result.isNewEntry) {
- if (result.iterator->value.first->m_type == node->m_type)
- result.iterator->value.first = node;
- else
- result.iterator->value.second = node;
+ if (resultPair.first->m_type == node->m_type) {
+ resultPair.first->setIsOverriddenByDuplicate();
+ resultPair.first = node;
+ } else {
+ if (resultPair.second)
+ resultPair.second->setIsOverriddenByDuplicate();
+ resultPair.second = node;
+ }
}
}
@@ -595,7 +600,7 @@
GetterSetterPair& pair = it->value;
// Was this already generated as a part of its partner?
- if (pair.second == node)
+ if (pair.second == node || node->isOverriddenByDuplicate())
continue;
// Generate the paired node now.
Modified: branches/safari-605-branch/Source/_javascript_Core/parser/NodeConstructors.h (226850 => 226851)
--- branches/safari-605-branch/Source/_javascript_Core/parser/NodeConstructors.h 2018-01-12 04:52:23 UTC (rev 226850)
+++ branches/safari-605-branch/Source/_javascript_Core/parser/NodeConstructors.h 2018-01-12 04:52:26 UTC (rev 226851)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2009, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2009-2018 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -248,6 +248,7 @@
, m_needsSuperBinding(superBinding == SuperBinding::Needed)
, m_putType(putType)
, m_isClassProperty(isClassProperty)
+ , m_isOverriddenByDuplicate(false)
{
}
@@ -258,6 +259,7 @@
, m_needsSuperBinding(superBinding == SuperBinding::Needed)
, m_putType(putType)
, m_isClassProperty(isClassProperty)
+ , m_isOverriddenByDuplicate(false)
{
}
@@ -269,6 +271,7 @@
, m_needsSuperBinding(superBinding == SuperBinding::Needed)
, m_putType(putType)
, m_isClassProperty(isClassProperty)
+ , m_isOverriddenByDuplicate(false)
{
}
Modified: branches/safari-605-branch/Source/_javascript_Core/parser/Nodes.h (226850 => 226851)
--- branches/safari-605-branch/Source/_javascript_Core/parser/Nodes.h 2018-01-12 04:52:23 UTC (rev 226850)
+++ branches/safari-605-branch/Source/_javascript_Core/parser/Nodes.h 2018-01-12 04:52:26 UTC (rev 226851)
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2000 Harri Porten (por...@kde.org)
* Copyright (C) 2001 Peter Kelly (p...@post.com)
- * Copyright (C) 2003-2009, 2013, 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2018 Apple Inc. All rights reserved.
* Copyright (C) 2007 Cameron Zwarich (cwzwar...@uwaterloo.ca)
* Copyright (C) 2007 Maks Orlovich
* Copyright (C) 2007 Eric Seidel <e...@webkit.org>
@@ -697,6 +697,8 @@
Type type() const { return static_cast<Type>(m_type); }
bool needsSuperBinding() const { return m_needsSuperBinding; }
bool isClassProperty() const { return m_isClassProperty; }
+ bool isOverriddenByDuplicate() const { return m_isOverriddenByDuplicate; }
+ void setIsOverriddenByDuplicate() { m_isOverriddenByDuplicate = true; }
PutType putType() const { return static_cast<PutType>(m_putType); }
private:
@@ -708,6 +710,7 @@
unsigned m_needsSuperBinding : 1;
unsigned m_putType : 1;
unsigned m_isClassProperty: 1;
+ unsigned m_isOverriddenByDuplicate: 1;
};
class PropertyListNode : public ExpressionNode {
