[webkit-changes] [WebKit/WebKit] 39476b: [JSC] definePropertyOnReceiver() doesn't account f...

Mon, 01 May 2023 14:52:00 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f
      
https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f
  Author: Alexey Shvayka <[email protected]>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    A JSTests/stress/define-property-on-receiver-slow-proxy-set-missing-trap.js
    A JSTests/stress/define-property-on-receiver-slow-super-set-property-2.js
    A JSTests/stress/define-property-on-receiver-slow-super-set-property.js
    M JSTests/stress/ordinary-set-exceptions.js
    M Source/JavaScriptCore/runtime/JSObject.cpp

  Log Message:
  -----------
  [JSC] definePropertyOnReceiver() doesn't account for put_by_val_with_this 
bytecode op
https://bugs.webkit.org/show_bug.cgi?id=256172
<rdar://problem/108750872>

Reviewed by Yusuke Suzuki.

The OrdinarySet revamp in https://webkit.org/b/217916 assumed that there are 
only 2 cases to take the slow path
for altered receivers: overriden [[Set]] in prototype chain and Reflect.set(). 
I thought that it's unobservable
to take the fast path otherwise since overriden methods were already called.

However, the third case was missed: put_by_val_with_this bytecode op, which is 
emitted for setting a property
on `super` base, and with https://webkit.org/b/252602, for ProxyObjectStore IC 
when the trap is missing.

Among other minor web compatibility bugs, missing that case caused properties 
to be put right on ProxyObject's
structure, where they are unaccessible, skipping calls to "set" and 
"defineProperty" traps.

This change relaxes the condition for taking the definePropertyOnReceiverSlow() 
while ensuring all common
[[Set]] targets like JSArray or `class X extends Y {}` are just as fast.

Regresses the Speedometer2/Flight-TodoMVC by 12-16%, which was recently falsely 
progressed only as a result
of skipping observable puts that other engines do perform.

* JSTests/stress/define-property-on-receiver-slow-proxy-set-missing-trap.js: 
Added.
* JSTests/stress/define-property-on-receiver-slow-super-set-property.js: Added.
* JSTests/stress/define-property-on-receiver-slow-super-set-property-2.js: 
Added.
* JSTests/stress/ordinary-set-exceptions.js: Updated error messages.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::canDefinePropertyOnReceiverFast):
(JSC::JSObject::definePropertyOnReceiver):

Canonical link: https://commits.webkit.org/263559@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to