Skip to site navigation (Press enter)

[webkit-changes] [295610] trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

shvaikalesh Thu, 16 Jun 2022 13:38:30 -0700

Title: [295610] trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp

Revision: 295610
Author: [email protected]
Date: 2022-06-16 13:37:38 -0700 (Thu, 16 Jun 2022)

Log Message

AbsenceOfSetEffect property condition should mind put() overrides
https://bugs.webkit.org/show_bug.cgi?id=241574
<rdar://91833733>


Reviewed by Yusuke Suzuki.

Since JSArray's "length" and RegExpObject's "lastIndex" may be reconfigured as non-writable,
we need to handle them separately in AbsenceOfSetEffect property condition to ensure that compiler
takes a slow path in that case, following the spec and throwing an exception in strict mode [1].

I'm not sure how to make a test case capturing this though.

[1]: https://tc39.es/ecma262/#sec-ordinarysetwithowndescriptor (step 2.a)

* Source/_javascript_Core/bytecode/PropertyCondition.cpp:
(JSC::nonStructurePropertyMayBecomeReadOnlyWithoutTransition):
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):

Canonical link: https://commits.webkit.org/251615@main

Modified Paths

trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp

Diff

Modified: trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp (295609 => 295610)


--- trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp	2022-06-16 20:33:04 UTC (rev 295609)
+++ trunk/Source/_javascript_Core/bytecode/PropertyCondition.cpp	2022-06-16 20:37:38 UTC (rev 295610)
@@ -69,6 +69,21 @@
     dumpInContext(out, nullptr);
 }
 
+ALWAYS_INLINE static bool nonStructurePropertyMayBecomeReadOnlyWithoutTransition(Structure* structure, UniquedStringImpl* uid)
+{
+    switch (structure->typeInfo().type()) {
+    case ArrayType:
+    case DerivedArrayType:
+        return uid == structure->vm().propertyNames->length.impl();
+
+    case RegExpObjectType:
+        return uid == structure->vm().propertyNames->lastIndex.impl();
+
+    default:
+        return false;
+    }
+}
+
 bool PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint(
     Concurrency concurrency, Structure* structure, JSObject* base) const
 {
@@ -173,6 +188,10 @@
                 }
                 return false;
             }
+        } else if (nonStructurePropertyMayBecomeReadOnlyWithoutTransition(structure, uid())) {
+            if (PropertyConditionInternal::verbose)
+                dataLog("Invalid because its put() override may treat ", uid(), " property as read-only.\n");
+            return false;
         }
 
         if (structure->hasPolyProto()) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes