[webkit-changes] [247202] branches/safari-607-branch/Source/JavaScriptCore

Sun, 07 Jul 2019 22:08:42 -0700

Title: [247202] branches/safari-607-branch/Source/_javascript_Core
Revision
247202
Author
[email protected]
Date
2019-07-07 22:07:19 -0700 (Sun, 07 Jul 2019)

Log Message

Cherry-pick r246801. rdar://problem/52505041

    Structure::create should call didBecomePrototype()
    https://bugs.webkit.org/show_bug.cgi?id=196315

    Reviewed by Filip Pizlo.

    Structure::create should also assert that the indexing type makes sense
    for the prototype being used.

    * runtime/JSObject.h:
    * runtime/Structure.cpp:
    (JSC::Structure::isValidPrototype):
    (JSC::Structure::changePrototypeTransition):
    * runtime/Structure.h:
    (JSC::Structure::create): Deleted.
    * runtime/StructureInlines.h:
    (JSC::Structure::create):
    (JSC::Structure::setPrototypeWithoutTransition):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246801 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (247201 => 247202)


--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog	2019-07-08 05:03:24 UTC (rev 247201)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog	2019-07-08 05:07:19 UTC (rev 247202)
@@ -1,3 +1,48 @@
+2019-07-07  Babak Shafiei  <[email protected]>
+
+        Cherry-pick r246801. rdar://problem/52505041
+
+    Structure::create should call didBecomePrototype()
+    https://bugs.webkit.org/show_bug.cgi?id=196315
+    
+    Reviewed by Filip Pizlo.
+    
+    Structure::create should also assert that the indexing type makes sense
+    for the prototype being used.
+    
+    * runtime/JSObject.h:
+    * runtime/Structure.cpp:
+    (JSC::Structure::isValidPrototype):
+    (JSC::Structure::changePrototypeTransition):
+    * runtime/Structure.h:
+    (JSC::Structure::create): Deleted.
+    * runtime/StructureInlines.h:
+    (JSC::Structure::create):
+    (JSC::Structure::setPrototypeWithoutTransition):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@246801 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-06-25  Keith Miller  <[email protected]>
+
+            Structure::create should call didBecomePrototype()
+            https://bugs.webkit.org/show_bug.cgi?id=196315
+
+            Reviewed by Filip Pizlo.
+
+            Structure::create should also assert that the indexing type makes sense
+            for the prototype being used.
+
+            * runtime/JSObject.h:
+            * runtime/Structure.cpp:
+            (JSC::Structure::isValidPrototype):
+            (JSC::Structure::changePrototypeTransition):
+            * runtime/Structure.h:
+            (JSC::Structure::create): Deleted.
+            * runtime/StructureInlines.h:
+            (JSC::Structure::create):
+            (JSC::Structure::setPrototypeWithoutTransition):
+
 2019-07-02  Alan Coon  <[email protected]>
 
         Revert r246801. rdar://problem/52505041

Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/JSObject.h (247201 => 247202)


--- branches/safari-607-branch/Source/_javascript_Core/runtime/JSObject.h	2019-07-08 05:03:24 UTC (rev 247201)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/JSObject.h	2019-07-08 05:07:19 UTC (rev 247202)
@@ -747,7 +747,7 @@
     bool isSealed(VM& vm) { return structure(vm)->isSealed(vm); }
     bool isFrozen(VM& vm) { return structure(vm)->isFrozen(vm); }
 
-    bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
+    JS_EXPORT_PRIVATE bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
     JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName);
     bool needsSlowPutIndexing(VM&) const;

Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp (247201 => 247202)


--- branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp	2019-07-08 05:03:24 UTC (rev 247201)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.cpp	2019-07-08 05:07:19 UTC (rev 247202)
@@ -321,6 +321,11 @@
     return result;
 }
 
+bool Structure::isValidPrototype(JSValue prototype)
+{
+    return prototype.isNull() || (prototype.isObject() && prototype.getObject()->mayBePrototype());
+}
+
 void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*& structure, PropertyTable*& table)
 {
     ASSERT(structures.isEmpty());
@@ -543,7 +548,7 @@
 
 Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype, DeferredStructureTransitionWatchpointFire& deferred)
 {
-    ASSERT(prototype.isObject() || prototype.isNull());
+    ASSERT(isValidPrototype(prototype));
 
     DeferGC deferGC(vm.heap);
     Structure* transition = create(vm, structure, &deferred);

Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.h (247201 => 247202)


--- branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.h	2019-07-08 05:03:24 UTC (rev 247201)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/Structure.h	2019-07-08 05:07:19 UTC (rev 247202)
@@ -138,11 +138,13 @@
         return &vm.structureSpace;
     }
 
+    JS_EXPORT_PRIVATE static bool isValidPrototype(JSValue);
+
 protected:
     void finishCreation(VM& vm)
     {
         Base::finishCreation(vm);
-        ASSERT(m_prototype.get().isEmpty() || m_prototype.isObject() || m_prototype.isNull());
+        ASSERT(m_prototype.get().isEmpty() || isValidPrototype(m_prototype.get()));
     }
 
     void finishCreation(VM& vm, const Structure* previous)
@@ -786,16 +788,4 @@
     uint32_t m_propertyHash;
 };
 
-// We deliberately put Structure::create here in Structure.h instead of StructureInlines.h, because
-// it is used everywhere. This is so we don't have to hunt down all the places where we would need
-// to #include StructureInlines.h otherwise.
-inline Structure* Structure::create(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
-{
-    ASSERT(vm.structureStructure);
-    ASSERT(classInfo);
-    Structure* structure = new (NotNull, allocateCell<Structure>(vm.heap)) Structure(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
-    structure->finishCreation(vm);
-    return structure;
-}
-
 } // namespace JSC

Modified: branches/safari-607-branch/Source/_javascript_Core/runtime/StructureInlines.h (247201 => 247202)


--- branches/safari-607-branch/Source/_javascript_Core/runtime/StructureInlines.h	2019-07-08 05:03:24 UTC (rev 247201)
+++ branches/safari-607-branch/Source/_javascript_Core/runtime/StructureInlines.h	2019-07-08 05:07:19 UTC (rev 247202)
@@ -34,6 +34,20 @@
 
 namespace JSC {
 
+inline Structure* Structure::create(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
+{
+    ASSERT(vm.structureStructure);
+    ASSERT(classInfo);
+    if (auto* object = prototype.getObject()) {
+        ASSERT(!object->anyObjectInChainMayInterceptIndexedAccesses(vm) || hasSlowPutArrayStorage(indexingType) || !hasIndexedProperties(indexingType));
+        object->didBecomePrototype();
+    }
+
+    Structure* structure = new (NotNull, allocateCell<Structure>(vm.heap)) Structure(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
+    structure->finishCreation(vm);
+    return structure;
+}
+
 inline Structure* Structure::createStructure(VM& vm)
 {
     ASSERT(!vm.structureStructure);
@@ -492,6 +506,7 @@
 
 ALWAYS_INLINE void Structure::setPrototypeWithoutTransition(VM& vm, JSValue prototype)
 {
+    ASSERT(isValidPrototype(prototype));
     m_prototype.set(vm, this, prototype);
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to