[webkit-changes] [110396] trunk

[barraclough]

Title: [110396] trunk

Revision

110396

Author

barraclo...@apple.com

Date

2012-03-11 11:58:04 -0700 (Sun, 11 Mar 2012)

Log Message

Source/_javascript_Core: LLInt should support JSVALUE64
https://bugs.webkit.org/show_bug.cgi?id=79609
<rdar://problem/10063437>

Patch by Filip Pizlo <fpi...@apple.com> on 2012-03-10
Reviewed by Gavin Barraclough and Oliver Hunt.
        
Ported the LLInt, which previously only worked on 32-bit, to 64-bit. This
patch moves a fair bit of code from LowLevelInterpreter32_64.asm to the common
file, LowLevelInterpreter.asm. About 1/3 of the LLInt did not have to be
specialized for value representation.
        
Also made some minor changes to offlineasm and the slow-paths.

* llint/LLIntData.cpp:
(JSC::LLInt::Data::performAssertions):
* llint/LLIntEntrypoints.cpp:
* llint/LLIntSlowPaths.cpp:
(LLInt):
(JSC::LLInt::llint_trace_value):
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
(JSC::LLInt::jitCompileAndSetHeuristics):
* llint/LLIntSlowPaths.h:
(LLInt):
(SlowPathReturnType):
(JSC::LLInt::SlowPathReturnType::SlowPathReturnType):
(JSC::LLInt::encodeResult):
* llint/LLIntThunks.cpp:
* llint/LowLevelInterpreter.asm:
* llint/LowLevelInterpreter32_64.asm:
* llint/LowLevelInterpreter64.asm:
* offlineasm/armv7.rb:
* offlineasm/asm.rb:
* offlineasm/ast.rb:
* offlineasm/backends.rb:
* offlineasm/instructions.rb:
* offlineasm/parser.rb:
* offlineasm/registers.rb:
* offlineasm/transform.rb:
* offlineasm/x86.rb:
* wtf/Platform.h:

LayoutTests: Object.freeze broken on latest Nightly
https://bugs.webkit.org/show_bug.cgi?id=80577

Reviewed by Oliver Hunt.

* fast/js/preventExtensions-expected.txt:
* fast/js/script-tests/preventExtensions.js:
    - Added test cases.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/preventExtensions-expected.txt
• trunk/LayoutTests/fast/js/script-tests/preventExtensions.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSFunction.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (110395 => 110396)

--- trunk/LayoutTests/ChangeLog	2012-03-11 17:34:09 UTC (rev 110395)
+++ trunk/LayoutTests/ChangeLog	2012-03-11 18:58:04 UTC (rev 110396)
@@ -1,3 +1,14 @@
+2012-03-09  Gavin Barraclough  <barraclo...@apple.com>
+
+        Object.freeze broken on latest Nightly
+        https://bugs.webkit.org/show_bug.cgi?id=80577
+
+        Reviewed by Oliver Hunt.
+
+        * fast/js/preventExtensions-expected.txt:
+        * fast/js/script-tests/preventExtensions.js:
+            - Added test cases.
+
 2012-03-11  Pavel Feldman  <pfeld...@chromium.org>
 
         Web Inspector: console.log attempts to substitute any "%" character in the message.

Modified: trunk/LayoutTests/fast/js/preventExtensions-expected.txt (110395 => 110396)

--- trunk/LayoutTests/fast/js/preventExtensions-expected.txt	2012-03-11 17:34:09 UTC (rev 110395)
+++ trunk/LayoutTests/fast/js/preventExtensions-expected.txt	2012-03-11 18:58:04 UTC (rev 110396)
@@ -18,8 +18,13 @@
 PASS var arr = Object.preventExtensions([]); arr[0] = 42; arr.length is 0
 PASS "use strict"; var arr = Object.preventExtensions([]); arr[0] = 42; arr[0] threw exception TypeError: Attempted to assign to readonly property..
 PASS obj.foo is 1
+PASS Object.isFrozen(func) is true
+PASS func.prototype === 42 is false
+PASS Object.getOwnPropertyDescriptor(func, "prototype").writable is false
+PASS Object.isFrozen(array) is true
 PASS array[0] is 0
 PASS Object.getOwnPropertyDescriptor(array, "length").writable is false
+PASS Object.isFrozen(args) is true
 PASS args[0] is 0
 PASS Object.getOwnPropertyDescriptor(args, "length").writable is false
 PASS Object.getOwnPropertyDescriptor(args, "callee").writable is false

Modified: trunk/LayoutTests/fast/js/script-tests/preventExtensions.js (110395 => 110396)

--- trunk/LayoutTests/fast/js/script-tests/preventExtensions.js	2012-03-11 17:34:09 UTC (rev 110395)
+++ trunk/LayoutTests/fast/js/script-tests/preventExtensions.js	2012-03-11 18:58:04 UTC (rev 110396)
@@ -89,14 +89,23 @@
 obj.foo = 2;
 shouldBe('obj.foo', '1');
 
+// Check that freezing a function works correctly.
+var func = freeze(function foo(){});
+shouldBeTrue('Object.isFrozen(func)')
+func.prototype = 42;
+shouldBeFalse('func.prototype === 42');
+shouldBeFalse('Object.getOwnPropertyDescriptor(func, "prototype").writable')
+
 // Check that freezing array objects works correctly.
 var array = freeze([0,1,2]);
+shouldBeTrue('Object.isFrozen(array)')
 array[0] = 3;
 shouldBe('array[0]', '0');
 shouldBeFalse('Object.getOwnPropertyDescriptor(array, "length").writable')
 
 // Check that freezing arguments objects works correctly.
 var args = freeze((function(){ return arguments; })(0,1,2));
+shouldBeTrue('Object.isFrozen(args)')
 args[0] = 3;
 shouldBe('args[0]', '0');
 shouldBeFalse('Object.getOwnPropertyDescriptor(args, "length").writable')

Modified: trunk/Source/_javascript_Core/ChangeLog (110395 => 110396)

--- trunk/Source/_javascript_Core/ChangeLog	2012-03-11 17:34:09 UTC (rev 110395)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-03-11 18:58:04 UTC (rev 110396)
@@ -81,6 +81,22 @@
 
 2012-03-09  Gavin Barraclough  <barraclo...@apple.com>
 
+        Object.freeze broken on latest Nightly
+        https://bugs.webkit.org/show_bug.cgi?id=80577
+
+        Reviewed by Oliver Hunt.
+
+        The problem here is that deleteProperty rejects deletion of prototype.
+        This is correct in most cases, however defineOwnPropery is presently
+        implemented internally to ensure the attributes change by deleting the
+        old property, and creating a new one.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::deleteProperty):
+            - If deletePropery is called via defineOwnPropery, allow old prototype to be removed.
+
+2012-03-09  Gavin Barraclough  <barraclo...@apple.com>
+
         Array.prototype.toLocaleString visits elements in wrong order under certain conditions
         https://bugs.webkit.org/show_bug.cgi?id=80663
 

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (110395 => 110396)

--- trunk/Source/_javascript_Core/runtime/JSFunction.cpp	2012-03-11 17:34:09 UTC (rev 110395)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp	2012-03-11 18:58:04 UTC (rev 110396)
@@ -348,9 +348,12 @@
 bool JSFunction::deleteProperty(JSCell* cell, ExecState* exec, const Identifier& propertyName)
 {
     JSFunction* thisObject = jsCast<JSFunction*>(cell);
-    if (thisObject->isHostFunction())
-        return Base::deleteProperty(thisObject, exec, propertyName);
-    if (propertyName == exec->propertyNames().arguments || propertyName == exec->propertyNames().length || propertyName == exec->propertyNames().prototype || propertyName == exec->propertyNames().caller)
+    // For non-host functions, don't let these properties by deleted - except by DefineOwnProperty.
+    if (!thisObject->isHostFunction() && !exec->globalData().isInDefineOwnProperty()
+        && (propertyName == exec->propertyNames().arguments
+            || propertyName == exec->propertyNames().length
+            || propertyName == exec->propertyNames().prototype
+            || propertyName == exec->propertyNames().caller))
         return false;
     return Base::deleteProperty(thisObject, exec, propertyName);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes