Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (231501 => 231502)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-05-08 19:36:01 UTC (rev 231501)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-05-08 19:42:09 UTC (rev 231502)
@@ -1,3 +1,60 @@
+2018-05-08 Jason Marcell <[email protected]>
+
+ Cherry-pick r230740. rdar://problem/40050731
+
+ A put is not an ExistingProperty put when we transition a structure because of an attributes change
+ https://bugs.webkit.org/show_bug.cgi?id=184706
+ <rdar://problem/38871451>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/put-by-id-direct-strict-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-by-id-direct-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-getter-setter-by-id-strict-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-getter-setter-by-id-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+
+ Source/_javascript_Core:
+
+ When putting a property on a structure and the slot is a different
+ type, the slot can't be said to have already been existing.
+
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::putDirectInternal):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230740 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-17 JF Bastien <[email protected]>
+
+ A put is not an ExistingProperty put when we transition a structure because of an attributes change
+ https://bugs.webkit.org/show_bug.cgi?id=184706
+ <rdar://problem/38871451>
+
+ Reviewed by Saam Barati.
+
+ * stress/put-by-id-direct-strict-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-by-id-direct-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-getter-setter-by-id-strict-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-getter-setter-by-id-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+
2018-04-17 Kocsen Chung <[email protected]>
Cherry-pick r230662. rdar://problem/39496355
Added: branches/safari-605-branch/JSTests/stress/put-by-id-direct-strict-transition.js (0 => 231502)
--- branches/safari-605-branch/JSTests/stress/put-by-id-direct-strict-transition.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/put-by-id-direct-strict-transition.js 2018-05-08 19:42:09 UTC (rev 231502)
@@ -0,0 +1,13 @@
+"use strict"
+
+let theglobal = 0;
+for (theglobal = 0; theglobal < 100000; ++theglobal)
+ ;
+const foo = (ignored, arg1) => { theglobal = arg1; };
+for (let j = 0; j < 10000; ++j) {
+ const obj = {
+ set hello(ignored) {},
+ [theglobal]: 0
+ };
+ foo(obj, 'hello');
+}
Added: branches/safari-605-branch/JSTests/stress/put-by-id-direct-transition.js (0 => 231502)
--- branches/safari-605-branch/JSTests/stress/put-by-id-direct-transition.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/put-by-id-direct-transition.js 2018-05-08 19:42:09 UTC (rev 231502)
@@ -0,0 +1,11 @@
+let theglobal = 0;
+for (theglobal = 0; theglobal < 100000; ++theglobal)
+ ;
+const foo = (ignored, arg1) => { theglobal = arg1; };
+for (let j = 0; j < 10000; ++j) {
+ const obj = {
+ set hello(ignored) {},
+ [theglobal]: 0
+ };
+ foo(obj, 'hello');
+}
Added: branches/safari-605-branch/JSTests/stress/put-getter-setter-by-id-strict-transition.js (0 => 231502)
--- branches/safari-605-branch/JSTests/stress/put-getter-setter-by-id-strict-transition.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/put-getter-setter-by-id-strict-transition.js 2018-05-08 19:42:09 UTC (rev 231502)
@@ -0,0 +1,13 @@
+"use strict"
+
+let theglobal = 0;
+for (theglobal = 0; theglobal < 100000; ++theglobal)
+ ;
+const foo = (ignored, arg1) => { theglobal = arg1; };
+for (let j = 0; j < 10000; ++j) {
+ const obj = {
+ [theglobal]: 0,
+ set hello(ignored) {}
+ };
+ foo(obj, 'hello');
+}
Added: branches/safari-605-branch/JSTests/stress/put-getter-setter-by-id-transition.js (0 => 231502)
--- branches/safari-605-branch/JSTests/stress/put-getter-setter-by-id-transition.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/put-getter-setter-by-id-transition.js 2018-05-08 19:42:09 UTC (rev 231502)
@@ -0,0 +1,11 @@
+let theglobal = 0;
+for (theglobal = 0; theglobal < 100000; ++theglobal)
+ ;
+const foo = (ignored, arg1) => { theglobal = arg1; };
+for (let j = 0; j < 10000; ++j) {
+ const obj = {
+ [theglobal]: 0,
+ set hello(ignored) {}
+ };
+ foo(obj, 'hello');
+}
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (231501 => 231502)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-08 19:36:01 UTC (rev 231501)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-08 19:42:09 UTC (rev 231502)
@@ -1,3 +1,53 @@
+2018-05-08 Jason Marcell <[email protected]>
+
+ Cherry-pick r230740. rdar://problem/40050731
+
+ A put is not an ExistingProperty put when we transition a structure because of an attributes change
+ https://bugs.webkit.org/show_bug.cgi?id=184706
+ <rdar://problem/38871451>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/put-by-id-direct-strict-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-by-id-direct-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-getter-setter-by-id-strict-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+ * stress/put-getter-setter-by-id-transition.js: Added.
+ (const.foo):
+ (j.const.obj.set hello):
+
+ Source/_javascript_Core:
+
+ When putting a property on a structure and the slot is a different
+ type, the slot can't be said to have already been existing.
+
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::putDirectInternal):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230740 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-17 JF Bastien <[email protected]>
+
+ A put is not an ExistingProperty put when we transition a structure because of an attributes change
+ https://bugs.webkit.org/show_bug.cgi?id=184706
+ <rdar://problem/38871451>
+
+ Reviewed by Saam Barati.
+
+ When putting a property on a structure and the slot is a different
+ type, the slot can't be said to have already been existing.
+
+ * runtime/JSObjectInlines.h:
+ (JSC::JSObject::putDirectInternal):
+
2018-04-26 Jason Marcell <[email protected]>
Cherry-pick r230459. rdar://problem/39766214
Modified: branches/safari-605-branch/Source/_javascript_Core/runtime/JSObjectInlines.h (231501 => 231502)
--- branches/safari-605-branch/Source/_javascript_Core/runtime/JSObjectInlines.h 2018-05-08 19:36:01 UTC (rev 231501)
+++ branches/safari-605-branch/Source/_javascript_Core/runtime/JSObjectInlines.h 2018-05-08 19:42:09 UTC (rev 231502)
@@ -288,12 +288,13 @@
putDirect(vm, offset, value);
structure->didReplaceProperty(offset);
- slot.setExistingProperty(this, offset);
if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessor) != (currentAttributes & PropertyAttribute::CustomAccessor)) {
ASSERT(!(attributes & PropertyAttribute::ReadOnly));
setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
- }
+ } else
+ slot.setExistingProperty(this, offset);
+
return true;
}
@@ -345,13 +346,14 @@
vm, propertyName, value, slot.context() == PutPropertySlot::PutById);
}
- slot.setExistingProperty(this, offset);
putDirect(vm, offset, value);
if ((attributes & PropertyAttribute::Accessor) != (currentAttributes & PropertyAttribute::Accessor) || (attributes & PropertyAttribute::CustomAccessor) != (currentAttributes & PropertyAttribute::CustomAccessor)) {
ASSERT(!(attributes & PropertyAttribute::ReadOnly));
setStructure(vm, Structure::attributeChangeTransition(vm, structure, propertyName, attributes));
- }
+ } else
+ slot.setExistingProperty(this, offset);
+
return true;
}
