From 1f8a9f66cf95c3ea5a8819c87157ac00d4b1ef0c Mon Sep 17 00:00:00 2001 From: Filip Pizlo Date: Thu, 21 Mar 2013 18:13:57 +0100 Subject: Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings https://bugs.webkit.org/show_bug.cgi?id=104623 Reviewed by Geoffrey Garen. Source/JavaScriptCore: Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching in some cases. This appears to be perf-neutral on benchmarks that we track. * dfg/DFGRepatch.cpp: (JSC::DFG::tryCacheGetByID): (JSC::DFG::tryBuildGetByIDProtoList): * jit/JITStubs.cpp: (JSC::JITThunks::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION): * runtime/JSTypeInfo.h: (JSC): (JSC::TypeInfo::hasImpureGetOwnPropertySlot): * runtime/Operations.h: (JSC::normalizePrototypeChainForChainAccess): Source/WebCore: All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as HasImpureGetOwnPropertySlot. Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): LayoutTests: * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added. * fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added. * fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): * fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added. (f): Change-Id: Ie17e39f2b8139778455e28aca9428698f4dd362f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/Operations.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'Source/JavaScriptCore/runtime/Operations.h') diff --git a/Source/JavaScriptCore/runtime/Operations.h b/Source/JavaScriptCore/runtime/Operations.h index 7301bf6ec..8e0a0a393 100644 --- a/Source/JavaScriptCore/runtime/Operations.h +++ b/Source/JavaScriptCore/runtime/Operations.h @@ -302,15 +302,18 @@ namespace JSC { #define InvalidPrototypeChain (std::numeric_limits::max()) - inline size_t normalizePrototypeChain(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier& propertyName, PropertyOffset& slotOffset) + inline size_t normalizePrototypeChainForChainAccess(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier& propertyName, PropertyOffset& slotOffset) { JSCell* cell = base.asCell(); size_t count = 0; - + while (slotBase != cell) { if (cell->isProxy()) return InvalidPrototypeChain; + if (cell->structure()->typeInfo().hasImpureGetOwnPropertySlot()) + return InvalidPrototypeChain; + JSValue v = cell->structure()->prototypeForLookup(callFrame); // If we didn't find slotBase in base's prototype chain, then base @@ -328,7 +331,7 @@ namespace JSC { if (slotBase == cell) slotOffset = cell->structure()->get(callFrame->globalData(), propertyName); } - + ++count; } -- cgit v1.2.1