Title: [246210] trunk
- Revision
- 246210
- Author
- tzaga...@apple.com
- Date
- 2019-06-07 11:54:31 -0700 (Fri, 07 Jun 2019)
Log Message
AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
https://bugs.webkit.org/show_bug.cgi?id=198581
<rdar://problem/51099753>
Reviewed by Saam Barati.
JSTests:
* stress/global-object-proto-getter.js: Added.
(f):
(test):
Source/_javascript_Core:
For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
from the object, it gets the GetterSetter structure from the CodeBlock's global object.
However, that's not correct, since the global object for the base object might differ
from the CodeBlock's. Instead, we try to get the global object from the base, when it's
a constant object. Otherwise, we can't infer the value and only set the type.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (246209 => 246210)
--- trunk/JSTests/ChangeLog 2019-06-07 18:05:42 UTC (rev 246209)
+++ trunk/JSTests/ChangeLog 2019-06-07 18:54:31 UTC (rev 246210)
@@ -1,3 +1,15 @@
+2019-06-07 Tadeu Zagallo <tzaga...@apple.com>
+
+ AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
+ https://bugs.webkit.org/show_bug.cgi?id=198581
+ <rdar://problem/51099753>
+
+ Reviewed by Saam Barati.
+
+ * stress/global-object-proto-getter.js: Added.
+ (f):
+ (test):
+
2019-06-05 Justin Michaud <justin_mich...@apple.com>
[WASM-References] Add support for Anyref tables, Table.get and Table.set (for Anyref only).
Added: trunk/JSTests/stress/global-object-proto-getter.js (0 => 246210)
--- trunk/JSTests/stress/global-object-proto-getter.js (rev 0)
+++ trunk/JSTests/stress/global-object-proto-getter.js 2019-06-07 18:54:31 UTC (rev 246210)
@@ -0,0 +1,15 @@
+//@ requireOptions("--validateAbstractInterpreterState=true", "--validateAbstractInterpreterStateProbability=1.0", "--forceEagerCompilation=true")
+Array.__proto__ = createGlobalObject();
+
+function f() { const c = Array.__proto__ }
+
+function test() {
+ with(0) {
+ f();
+ }
+}
+noInline(test);
+
+for (let i = 0; i < 100; i++) {
+ test();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (246209 => 246210)
--- trunk/Source/_javascript_Core/ChangeLog 2019-06-07 18:05:42 UTC (rev 246209)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-06-07 18:54:31 UTC (rev 246210)
@@ -1,3 +1,20 @@
+2019-06-07 Tadeu Zagallo <tzaga...@apple.com>
+
+ AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
+ https://bugs.webkit.org/show_bug.cgi?id=198581
+ <rdar://problem/51099753>
+
+ Reviewed by Saam Barati.
+
+ For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
+ from the object, it gets the GetterSetter structure from the CodeBlock's global object.
+ However, that's not correct, since the global object for the base object might differ
+ from the CodeBlock's. Instead, we try to get the global object from the base, when it's
+ a constant object. Otherwise, we can't infer the value and only set the type.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2019-06-06 Devin Rousso <drou...@apple.com>
Web Inspector: create CommandLineAPIHost lazily like the other agents
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (246209 => 246210)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-06-07 18:05:42 UTC (rev 246209)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-06-07 18:54:31 UTC (rev 246210)
@@ -3316,13 +3316,19 @@
case GetGetterSetterByOffset: {
StorageAccessData& data = ""
- JSValue result = m_graph.tryGetConstantProperty(forNode(node->child2()), data.offset);
+ AbstractValue base = forNode(node->child2());
+ JSValue result = m_graph.tryGetConstantProperty(base, data.offset);
if (result && jsDynamicCast<GetterSetter*>(m_vm, result)) {
setConstant(node, *m_graph.freeze(result));
break;
}
- setForNode(node, m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure());
+ if (base.value() && base.value().isObject()) {
+ setForNode(node, asObject(base.value())->globalObject()->getterSetterStructure());
+ break;
+ }
+
+ setTypeForNode(node, SpecObjectOther);
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
