Changeset 210146 in webkit

Timestamp:

Dec 24, 2016 1:26:22 PM (7 years ago)

Author:

commit-queue@webkit.org

Message:

[test262] Fixing mapped arguments object property test case
​https://bugs.webkit.org/show_bug.cgi?id=159398

Patch by Caio Lima <Caio Lima> on 2016-12-24
Reviewed by Saam Barati.

JSTests:

• stress/arguments-bizarre-behaviour-disable-enumerability.js:
• stress/arguments-define-property.js: Added.

(assert):
(testProperties):

• stress/arguments-non-configurable.js: Added.

(assert):
(tryChangeNonConfigurableDescriptor):
(set tryChangeNonConfigurableDescriptor):
(tryChangeWritableOfNonConfigurableDescriptor):

• test262.yaml:

Source/JavaScriptCore:

This patch changes GenericArguments' override mechanism to
implement corret behavior on ECMAScript test262 suite test cases of
mapped arguments object with non-configurable and non-writable
property. Also it is ensuring that arguments[i]
cannot be deleted when argument "i" is {configurable: false}.

The previous implementation is against to the specification for 2 reasons:

1. Every argument in arguments object are {writable: true} by default (​http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject). It means that we have to stop mapping a defined property index if the new property descriptor contains writable (i.e writable is present) and its value is false (also check ​https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc). Previous implementation considers {writable: false} if writable is not present.

2. When a property is overriden, "delete" operation is always returning true. However delete operations should follow the specification.

We created an auxilary boolean array named m_modifiedArgumentsDescriptor
to store which arguments[i] descriptor was changed from its default
property descriptor. This modification was necessary because m_overrides
was responsible to keep this information at the same time
of keeping information about arguments mapping. The problem of this apporach was
that we needed to call overridesArgument(i) as soon as the ith argument's property
descriptor was changed and it stops the argument's mapping as sideffect, producing
wrong behavior.
To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
DirectArguments::m_mappedArguments and now we it is responsible to manage if an
argument[i] is mapped or not.
With these 2 structures, now it is possible to an argument[i] have its property
descriptor modified and don't stop the mapping as soon as it happens. One example
of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
test case, that now is fixed by this new mechanism.

• bytecode/PolymorphicAccess.cpp:

(JSC::AccessCase::generateWithGuard):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
(JSC::DFG::SpeculativeJIT::compileGetArrayLength):
(JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):

• ftl/FTLAbstractHeapRepository.h:
• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):

• jit/JITOperations.cpp:

(JSC::canAccessArgumentIndexQuickly):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitDirectArgumentsGetByVal):

• runtime/DirectArguments.cpp:

(JSC::DirectArguments::estimatedSize):
(JSC::DirectArguments::visitChildren):
(JSC::DirectArguments::overrideThings):
(JSC::DirectArguments::overrideThingsIfNecessary):
(JSC::DirectArguments::unmapArgument):
(JSC::DirectArguments::copyToArguments):
(JSC::DirectArguments::overridesSize):
(JSC::DirectArguments::overrideArgument): Deleted.

• runtime/DirectArguments.h:

(JSC::DirectArguments::length):
(JSC::DirectArguments::isMappedArgument):
(JSC::DirectArguments::isMappedArgumentInDFG):
(JSC::DirectArguments::getIndexQuickly):
(JSC::DirectArguments::setIndexQuickly):
(JSC::DirectArguments::overrodeThings):
(JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
(JSC::DirectArguments::setModifiedArgumentDescriptor):
(JSC::DirectArguments::isModifiedArgumentDescriptor):
(JSC::DirectArguments::offsetOfMappedArguments):
(JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
(JSC::DirectArguments::canAccessIndexQuickly): Deleted.
(JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
(JSC::DirectArguments::offsetOfOverrides): Deleted.

• runtime/GenericArguments.h:
• runtime/GenericArgumentsInlines.h:

(JSC::GenericArguments<Type>::visitChildren):
(JSC::GenericArguments<Type>::getOwnPropertySlot):
(JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
(JSC::GenericArguments<Type>::getOwnPropertyNames):
(JSC::GenericArguments<Type>::put):
(JSC::GenericArguments<Type>::putByIndex):
(JSC::GenericArguments<Type>::deleteProperty):
(JSC::GenericArguments<Type>::deletePropertyByIndex):
(JSC::GenericArguments<Type>::defineOwnProperty):
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
(JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
(JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
(JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
(JSC::GenericArguments<Type>::copyToArguments):

• runtime/ScopedArguments.cpp:

(JSC::ScopedArguments::visitChildren):
(JSC::ScopedArguments::unmapArgument):
(JSC::ScopedArguments::overrideArgument): Deleted.

• runtime/ScopedArguments.h:

(JSC::ScopedArguments::isMappedArgument):
(JSC::ScopedArguments::isMappedArgumentInDFG):
(JSC::ScopedArguments::getIndexQuickly):
(JSC::ScopedArguments::setIndexQuickly):
(JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
(JSC::ScopedArguments::setModifiedArgumentDescriptor):
(JSC::ScopedArguments::isModifiedArgumentDescriptor):
(JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
(JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/arguments-bizarre-behaviour-disable-enumerability.js (modified) (1 diff)
• JSTests/stress/arguments-define-property.js (added)
• JSTests/stress/arguments-non-configurable.js (added)
• JSTests/test262.yaml (modified) (2 diffs)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (3 diffs)
• Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h (modified) (1 diff)
• Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (3 diffs)
• Source/JavaScriptCore/jit/JITOperations.cpp (modified) (2 diffs)
• Source/JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/DirectArguments.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/DirectArguments.h (modified) (6 diffs)
• Source/JavaScriptCore/runtime/GenericArguments.h (modified) (2 diffs)
• Source/JavaScriptCore/runtime/GenericArgumentsInlines.h (modified) (12 diffs)
• Source/JavaScriptCore/runtime/ScopedArguments.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/ScopedArguments.h (modified) (4 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2016-12-24  Caio Lima  <ticaiolima@gmail.com>
+
+        [test262] Fixing mapped arguments object property test case
+        https://bugs.webkit.org/show_bug.cgi?id=159398
+
+        Reviewed by Saam Barati.
+
+        * stress/arguments-bizarre-behaviour-disable-enumerability.js:
+        * stress/arguments-define-property.js: Added.
+        (assert):
+        (testProperties):
+        * stress/arguments-non-configurable.js: Added.
+        (assert):
+        (tryChangeNonConfigurableDescriptor):
+        (set tryChangeNonConfigurableDescriptor):
+        (tryChangeWritableOfNonConfigurableDescriptor):
+        * test262.yaml:
+
+016-12-20  Caio Lima  <ticaiolima@gmail.com>
+
+        [test262] Fixing mapped arguments object property test case
+        https://bugs.webkit.org/show_bug.cgi?id=159398
+
+        Reviewed by .
+
+        * stress/arguments-bizarre-behaviour-disable-enumerability.js:
+        * stress/arguments-define-property.js: Added.
+        (assert):
+        (testProperties):
+        * stress/arguments-non-configurable.js: Added.
+        (assert):
+        (tryChangeNonConfigurableDescriptor):
+        (set tryChangeNonConfigurableDescriptor):
+        (tryChangeWritableOfNonConfigurableDescriptor):
+        * test262.yaml:
+
 2016-12-23  Keith Miller  <keith_miller@apple.com>
 

trunk/JSTests/stress/arguments-bizarre-behaviour-disable-enumerability.js

@@ -25 +25 @@
     throw new Error();
 
-// FIXME: This is totally weird!
-// https://bugs.webkit.org/show_bug.cgi?id=141952
-if (Object.getOwnPropertyDescriptor(result[2], 0).enumerable !== true)
+if (Object.getOwnPropertyDescriptor(result[2], 0).enumerable === true)
     throw new Error();

trunk/JSTests/test262.yaml

@@ -51365 +51365 @@
   cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-2.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-3.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-4.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-delete-1.js
   cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-delete-2.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-delete-3.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-delete-4.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-nonwritable-1.js
   cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
@@ -51383 +51383 @@
   cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-nonwritable-3.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-nonwritable-4.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-nonwritable-5.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-strict-delete-1.js
   cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-strict-delete-2.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-strict-delete-3.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-strict-delete-4.js
-  cmd: runTest262 :fail, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
+  cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []
 - path: test262/test/language/arguments-object/mapped/mapped-arguments-nonwritable-nonconfigurable-1.js
   cmd: runTest262 :normal, "NoException", ["../../../../harness/assert.js", "../../../../harness/sta.js"], []

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-12-24  Caio Lima  <ticaiolima@gmail.com>
+
+        [test262] Fixing mapped arguments object property test case
+        https://bugs.webkit.org/show_bug.cgi?id=159398
+
+        Reviewed by Saam Barati.
+
+        This patch changes GenericArguments' override mechanism to
+        implement corret behavior on ECMAScript test262 suite test cases of
+        mapped arguments object with non-configurable and non-writable
+        property. Also it is ensuring that arguments[i]
+        cannot be deleted when argument "i" is {configurable: false}.
+        
+        The previous implementation is against to the specification for 2 reasons:
+
+        1. Every argument in arguments object are {writable: true} by default
+           (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject).
+           It means that we have to stop mapping a defined property index
+           if the new property descriptor contains writable (i.e writable is
+           present) and its value is false (also check
+           https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
+           Previous implementation considers {writable: false} if writable is
+           not present.
+
+        2. When a property is overriden, "delete" operation is always returning true. However
+           delete operations should follow the specification.
+
+        We created an auxilary boolean array named m_modifiedArgumentsDescriptor
+        to store which arguments[i] descriptor was changed from its default
+        property descriptor. This modification was necessary because m_overrides
+        was responsible to keep this information at the same time
+        of keeping information about arguments mapping. The problem of this apporach was
+        that we needed to call overridesArgument(i) as soon as the ith argument's property
+        descriptor was changed and it stops the argument's mapping as sideffect, producing
+        wrong behavior.
+        To keep tracking arguments mapping status, we renamed DirectArguments::m_overrides to
+        DirectArguments::m_mappedArguments and now we it is responsible to manage if an
+        argument[i] is mapped or not.
+        With these 2 structures, now it is possible to an argument[i] have its property 
+        descriptor modified and don't stop the mapping as soon as it happens. One example
+        of that wrong behavior can be found on arguments-bizarre-behaviour-disable-enumerability
+        test case, that now is fixed by this new mechanism.
+
+        * bytecode/PolymorphicAccess.cpp:
+        (JSC::AccessCase::generateWithGuard):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
+        (JSC::DFG::SpeculativeJIT::compileGetArrayLength):
+        (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
+        * ftl/FTLAbstractHeapRepository.h:
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+        (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
+        * jit/JITOperations.cpp:
+        (JSC::canAccessArgumentIndexQuickly):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitDirectArgumentsGetByVal):
+        * runtime/DirectArguments.cpp:
+        (JSC::DirectArguments::estimatedSize):
+        (JSC::DirectArguments::visitChildren):
+        (JSC::DirectArguments::overrideThings):
+        (JSC::DirectArguments::overrideThingsIfNecessary):
+        (JSC::DirectArguments::unmapArgument):
+        (JSC::DirectArguments::copyToArguments):
+        (JSC::DirectArguments::overridesSize):
+        (JSC::DirectArguments::overrideArgument): Deleted.
+        * runtime/DirectArguments.h:
+        (JSC::DirectArguments::length):
+        (JSC::DirectArguments::isMappedArgument):
+        (JSC::DirectArguments::isMappedArgumentInDFG):
+        (JSC::DirectArguments::getIndexQuickly):
+        (JSC::DirectArguments::setIndexQuickly):
+        (JSC::DirectArguments::overrodeThings):
+        (JSC::DirectArguments::initModifiedArgumentsDescriptorIfNecessary):
+        (JSC::DirectArguments::setModifiedArgumentDescriptor):
+        (JSC::DirectArguments::isModifiedArgumentDescriptor):
+        (JSC::DirectArguments::offsetOfMappedArguments):
+        (JSC::DirectArguments::offsetOfModifiedArgumentsDescriptor):
+        (JSC::DirectArguments::canAccessIndexQuickly): Deleted.
+        (JSC::DirectArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
+        (JSC::DirectArguments::offsetOfOverrides): Deleted.
+        * runtime/GenericArguments.h:
+        * runtime/GenericArgumentsInlines.h:
+        (JSC::GenericArguments<Type>::visitChildren):
+        (JSC::GenericArguments<Type>::getOwnPropertySlot):
+        (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
+        (JSC::GenericArguments<Type>::getOwnPropertyNames):
+        (JSC::GenericArguments<Type>::put):
+        (JSC::GenericArguments<Type>::putByIndex):
+        (JSC::GenericArguments<Type>::deleteProperty):
+        (JSC::GenericArguments<Type>::deletePropertyByIndex):
+        (JSC::GenericArguments<Type>::defineOwnProperty):
+        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
+        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary):
+        (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
+        (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
+        (JSC::GenericArguments<Type>::copyToArguments):
+        * runtime/ScopedArguments.cpp:
+        (JSC::ScopedArguments::visitChildren):
+        (JSC::ScopedArguments::unmapArgument):
+        (JSC::ScopedArguments::overrideArgument): Deleted.
+        * runtime/ScopedArguments.h:
+        (JSC::ScopedArguments::isMappedArgument):
+        (JSC::ScopedArguments::isMappedArgumentInDFG):
+        (JSC::ScopedArguments::getIndexQuickly):
+        (JSC::ScopedArguments::setIndexQuickly):
+        (JSC::ScopedArguments::initModifiedArgumentsDescriptorIfNecessary):
+        (JSC::ScopedArguments::setModifiedArgumentDescriptor):
+        (JSC::ScopedArguments::isModifiedArgumentDescriptor):
+        (JSC::ScopedArguments::canAccessIndexQuickly): Deleted.
+        (JSC::ScopedArguments::canAccessArgumentIndexQuicklyInDFG): Deleted.
+
 2016-12-23  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp

@@ -639 +639 @@
             jit.branchTestPtr(
                 CCallHelpers::NonZero,
-                CCallHelpers::Address(baseGPR, DirectArguments::offsetOfOverrides())));
+                CCallHelpers::Address(baseGPR, DirectArguments::offsetOfMappedArguments())));
         jit.load32(
             CCallHelpers::Address(baseGPR, DirectArguments::offsetOfLength()),

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -6119 +6119 @@
         m_jit.branchTestPtr(
             MacroAssembler::NonZero,
-            MacroAssembler::Address(baseReg, DirectArguments::offsetOfOverrides())));
+            MacroAssembler::Address(baseReg, DirectArguments::offsetOfMappedArguments())));
     speculationCheck(
         ExoticObjectMode, JSValueSource(), 0,
@@ -6293 +6293 @@
             m_jit.branchTestPtr(
                 MacroAssembler::NonZero,
-                MacroAssembler::Address(baseReg, DirectArguments::offsetOfOverrides())));
+                MacroAssembler::Address(baseReg, DirectArguments::offsetOfMappedArguments())));
         
         m_jit.load32(
@@ -6659 +6659 @@
         
     m_jit.storePtr(
-        TrustedImmPtr(0), JITCompiler::Address(resultGPR, DirectArguments::offsetOfOverrides()));
+        TrustedImmPtr(0), JITCompiler::Address(resultGPR, DirectArguments::offsetOfMappedArguments()));
+
+    m_jit.storePtr(
+        TrustedImmPtr(0), JITCompiler::Address(resultGPR, DirectArguments::offsetOfModifiedArgumentsDescriptor()));
     
     if (lengthIsKnown) {

trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

@@ -52 +52 @@
     macro(DirectArguments_length, DirectArguments::offsetOfLength()) \
     macro(DirectArguments_minCapacity, DirectArguments::offsetOfMinCapacity()) \
-    macro(DirectArguments_overrides, DirectArguments::offsetOfOverrides()) \
+    macro(DirectArguments_mappedArguments, DirectArguments::offsetOfMappedArguments()) \
+    macro(DirectArguments_modifiedArgumentsDescriptor, DirectArguments::offsetOfModifiedArgumentsDescriptor()) \
     macro(GetterSetter_getter, GetterSetter::offsetOfGetter()) \
     macro(GetterSetter_setter, GetterSetter::offsetOfSetter()) \

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -3141 +3141 @@
             speculate(
                 ExoticObjectMode, noValue(), nullptr,
-                m_out.notNull(m_out.loadPtr(arguments, m_heaps.DirectArguments_overrides)));
+                m_out.notNull(m_out.loadPtr(arguments, m_heaps.DirectArguments_mappedArguments)));
             setInt32(m_out.load32NonNegative(arguments, m_heaps.DirectArguments_length));
             return;
@@ -3293 +3293 @@
             speculate(
                 ExoticObjectMode, noValue(), nullptr,
-                m_out.notNull(m_out.loadPtr(base, m_heaps.DirectArguments_overrides)));
+                m_out.notNull(m_out.loadPtr(base, m_heaps.DirectArguments_mappedArguments)));
             speculate(
                 ExoticObjectMode, noValue(), nullptr,
@@ -4089 +4089 @@
         m_out.store32(length.value, fastObject, m_heaps.DirectArguments_length);
         m_out.store32(m_out.constInt32(minCapacity), fastObject, m_heaps.DirectArguments_minCapacity);
-        m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.DirectArguments_overrides);
+        m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.DirectArguments_mappedArguments);
+        m_out.storePtr(m_out.intPtrZero, fastObject, m_heaps.DirectArguments_modifiedArgumentsDescriptor);
         
         ValueFromBlock fastResult = m_out.anchor(fastObject);

trunk/Source/JavaScriptCore/jit/JITOperations.cpp

@@ -1621 +1621 @@
     case DirectArgumentsType: {
         DirectArguments* directArguments = jsCast<DirectArguments*>(&object);
-        if (directArguments->canAccessArgumentIndexQuicklyInDFG(index))
+        if (directArguments->isMappedArgumentInDFG(index))
             return true;
         break;
@@ -1627 +1627 @@
     case ScopedArgumentsType: {
         ScopedArguments* scopedArguments = jsCast<ScopedArguments*>(&object);
-        if (scopedArguments->canAccessArgumentIndexQuicklyInDFG(index))
+        if (scopedArguments->isMappedArgumentInDFG(index))
             return true;
         break;

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -1459 +1459 @@
     
     slowCases.append(branch32(AboveOrEqual, property, Address(base, DirectArguments::offsetOfLength())));
-    slowCases.append(branchTestPtr(NonZero, Address(base, DirectArguments::offsetOfOverrides())));
+    slowCases.append(branchTestPtr(NonZero, Address(base, DirectArguments::offsetOfMappedArguments())));
     
     zeroExtend32ToPtr(property, scratch);

trunk/Source/JavaScriptCore/runtime/DirectArguments.cpp

@@ -87 +87 @@
 {
     DirectArguments* thisObject = jsCast<DirectArguments*>(cell);
-    size_t overridesSize = thisObject->m_overrides ? thisObject->overridesSize() : 0;
-    return Base::estimatedSize(cell) + overridesSize;
+    size_t mappedArgumentsSize = thisObject->m_mappedArguments ? thisObject->mappedArgumentsSize() * sizeof(bool) : 0;
+    size_t modifiedArgumentsSize = thisObject->m_modifiedArgumentsDescriptor ? thisObject->m_length * sizeof(bool) : 0;
+    return Base::estimatedSize(cell) + mappedArgumentsSize + modifiedArgumentsSize;
 }
 
@@ -96 +97 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     Base::visitChildren(thisObject, visitor);
-    
+
     visitor.appendValues(thisObject->storage(), std::max(thisObject->m_length, thisObject->m_minCapacity));
     visitor.append(thisObject->m_callee);
 
-    if (bool* override = thisObject->m_overrides.get())
-        visitor.markAuxiliary(override);
+    if (thisObject->m_mappedArguments)
+        visitor.markAuxiliary(thisObject->m_mappedArguments.get());
+    GenericArguments<DirectArguments>::visitChildren(thisCell, visitor);
 }
 
@@ -111 +113 @@
 void DirectArguments::overrideThings(VM& vm)
 {
-    RELEASE_ASSERT(!m_overrides);
+    RELEASE_ASSERT(!m_mappedArguments);
     
     putDirect(vm, vm.propertyNames->length, jsNumber(m_length), DontEnum);
@@ -117 +119 @@
     putDirect(vm, vm.propertyNames->iteratorSymbol, globalObject()->arrayProtoValuesFunction(), DontEnum);
     
-    void* backingStore = vm.heap.tryAllocateAuxiliary(this, overridesSize());
+    void* backingStore = vm.heap.tryAllocateAuxiliary(this, mappedArgumentsSize());
     RELEASE_ASSERT(backingStore);
     bool* overrides = static_cast<bool*>(backingStore);
-    m_overrides.set(vm, this, overrides);
+    m_mappedArguments.set(vm, this, overrides);
     for (unsigned i = m_length; i--;)
         overrides[i] = false;
@@ -127 +129 @@
 void DirectArguments::overrideThingsIfNecessary(VM& vm)
 {
-    if (!m_overrides)
+    if (!m_mappedArguments)
         overrideThings(vm);
 }
 
-void DirectArguments::overrideArgument(VM& vm, unsigned index)
+void DirectArguments::unmapArgument(VM& vm, unsigned index)
 {
     overrideThingsIfNecessary(vm);
-    m_overrides.get()[index] = true;
+    m_mappedArguments.get()[index] = true;
 }
 
 void DirectArguments::copyToArguments(ExecState* exec, VirtualRegister firstElementDest, unsigned offset, unsigned length)
 {
-    if (!m_overrides) {
+    if (!m_mappedArguments) {
         unsigned limit = std::min(length + offset, m_length);
         unsigned i;
@@ -153 +155 @@
 }
 
-unsigned DirectArguments::overridesSize()
+unsigned DirectArguments::mappedArgumentsSize()
 {
     // We always allocate something; in the relatively uncommon case of overriding an empty argument we
-    // still allocate so that m_overrides is non-null. We use that to indicate that the other properties
+    // still allocate so that m_mappedArguments is non-null. We use that to indicate that the other properties
     // (length, etc) are overridden.
     return WTF::roundUpToMultipleOf<8>(m_length ? m_length : 1);

trunk/Source/JavaScriptCore/runtime/DirectArguments.h

@@ -67 +67 @@
     uint32_t length(ExecState* exec) const
     {
-        if (UNLIKELY(m_overrides))
+        if (UNLIKELY(m_mappedArguments))
             return get(exec, exec->propertyNames().length).toUInt32(exec);
         return m_length;
     }
     
-    bool canAccessIndexQuickly(uint32_t i) const
+    bool isMappedArgument(uint32_t i) const
     {
-        return i < m_length && (!m_overrides || !m_overrides.get()[i]);
+        return i < m_length && (!m_mappedArguments || !m_mappedArguments.get()[i]);
     }
 
-    bool canAccessArgumentIndexQuicklyInDFG(uint32_t i) const
+    bool isMappedArgumentInDFG(uint32_t i) const
     {
         return i < m_length && !overrodeThings();
@@ -84 +84 @@
     JSValue getIndexQuickly(uint32_t i) const
     {
-        ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
+        ASSERT_WITH_SECURITY_IMPLICATION(isMappedArgument(i));
         return const_cast<DirectArguments*>(this)->storage()[i].get();
     }
@@ -90 +90 @@
     void setIndexQuickly(VM& vm, uint32_t i, JSValue value)
     {
-        ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
+        ASSERT_WITH_SECURITY_IMPLICATION(isMappedArgument(i));
         storage()[i].set(vm, this, value);
     }
@@ -107 +107 @@
     
     // Methods intended for use by the GenericArguments mixin.
-    bool overrodeThings() const { return !!m_overrides; }
+    bool overrodeThings() const { return !!m_mappedArguments; }
     void overrideThings(VM&);
     void overrideThingsIfNecessary(VM&);
-    void overrideArgument(VM&, unsigned index);
-    
+    void unmapArgument(VM&, unsigned index);
+
+    void initModifiedArgumentsDescriptorIfNecessary(VM& vm)
+    {
+        GenericArguments<DirectArguments>::initModifiedArgumentsDescriptorIfNecessary(vm, m_length);
+    }
+
+    void setModifiedArgumentDescriptor(VM& vm, unsigned index)
+    {
+        GenericArguments<DirectArguments>::setModifiedArgumentDescriptor(vm, index, m_length);
+    }
+
+    bool isModifiedArgumentDescriptor(unsigned index)
+    {
+        return GenericArguments<DirectArguments>::isModifiedArgumentDescriptor(index, m_length);
+    }
+
     void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length);
 
@@ -121 +136 @@
     static ptrdiff_t offsetOfLength() { return OBJECT_OFFSETOF(DirectArguments, m_length); }
     static ptrdiff_t offsetOfMinCapacity() { return OBJECT_OFFSETOF(DirectArguments, m_minCapacity); }
-    static ptrdiff_t offsetOfOverrides() { return OBJECT_OFFSETOF(DirectArguments, m_overrides); }
+    static ptrdiff_t offsetOfMappedArguments() { return OBJECT_OFFSETOF(DirectArguments, m_mappedArguments); }
+    static ptrdiff_t offsetOfModifiedArgumentsDescriptor() { return OBJECT_OFFSETOF(DirectArguments, m_modifiedArgumentsDescriptor); }
     
     static size_t storageOffset()
@@ -144 +160 @@
     }
     
-    unsigned overridesSize();
+    unsigned mappedArgumentsSize();
     
     WriteBarrier<JSFunction> m_callee;
     uint32_t m_length; // Always the actual length of captured arguments and never what was stored into the length property.
     uint32_t m_minCapacity; // The max of this and length determines the capacity of this object. It may be the actual capacity, or maybe something smaller. We arrange it this way to be kind to the JITs.
-    AuxiliaryBarrier<bool*> m_overrides; // If non-null, it means that length, callee, and caller are fully materialized properties.
+    AuxiliaryBarrier<bool*> m_mappedArguments; // If non-null, it means that length, callee, and caller are fully materialized properties.
 };
 

trunk/Source/JavaScriptCore/runtime/GenericArguments.h

@@ -44 +44 @@
     }
 
+    static void visitChildren(JSCell*, SlotVisitor&);
     static bool getOwnPropertySlot(JSObject*, ExecState*, PropertyName, PropertySlot&);
     static bool getOwnPropertySlotByIndex(JSObject*, ExecState*, unsigned propertyName, PropertySlot&);
@@ -53 +54 @@
     static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool shouldThrow);
     
+    void initModifiedArgumentsDescriptor(VM&, unsigned length);
+    void initModifiedArgumentsDescriptorIfNecessary(VM&, unsigned length);
+    void setModifiedArgumentDescriptor(VM&, unsigned index, unsigned length);
+    bool isModifiedArgumentDescriptor(unsigned index, unsigned length);
+
     void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length);
+    
+    AuxiliaryBarrier<bool*> m_modifiedArgumentsDescriptor;
 };
 

trunk/Source/JavaScriptCore/runtime/GenericArgumentsInlines.h

@@ -32 +32 @@
 
 template<typename Type>
+void GenericArguments<Type>::visitChildren(JSCell* thisCell, SlotVisitor& visitor)
+{
+    Type* thisObject = static_cast<Type*>(thisCell);
+    ASSERT_GC_OBJECT_INHERITS(thisObject, info());
+    
+    if (thisObject->m_modifiedArgumentsDescriptor)
+        visitor.markAuxiliary(thisObject->m_modifiedArgumentsDescriptor.get());
+}
+
+template<typename Type>
 bool GenericArguments<Type>::getOwnPropertySlot(JSObject* object, ExecState* exec, PropertyName ident, PropertySlot& slot)
 {
@@ -53 +63 @@
     
     std::optional<uint32_t> index = parseIndex(ident);
-    if (index && thisObject->canAccessIndexQuickly(index.value())) {
+    if (index && !thisObject->isModifiedArgumentDescriptor(index.value()) && thisObject->isMappedArgument(index.value())) {
         slot.setValue(thisObject, None, thisObject->getIndexQuickly(index.value()));
         return true;
     }
     
-    return Base::getOwnPropertySlot(thisObject, exec, ident, slot);
+    bool result = Base::getOwnPropertySlot(thisObject, exec, ident, slot);
+    
+    if (index && thisObject->isMappedArgument(index.value()))
+        slot.setValue(thisObject, slot.attributes(), thisObject->getIndexQuickly(index.value()));
+    
+    return result;
 }
 
@@ -66 +81 @@
     Type* thisObject = jsCast<Type*>(object);
     
-    if (thisObject->canAccessIndexQuickly(index)) {
-        JSValue result = thisObject->getIndexQuickly(index);
-        slot.setValue(thisObject, None, result);
+    if (!thisObject->isModifiedArgumentDescriptor(index) && thisObject->isMappedArgument(index)) {
+        slot.setValue(thisObject, None, thisObject->getIndexQuickly(index));
         return true;
     }
     
     bool result = Base::getOwnPropertySlotByIndex(object, exec, index, slot);
+    
+    if (thisObject->isMappedArgument(index))
+        slot.setValue(thisObject, slot.attributes(), thisObject->getIndexQuickly(index));
+    
     return result;
 }
@@ -83 +101 @@
     if (array.includeStringProperties()) {
         for (unsigned i = 0; i < thisObject->internalLength(); ++i) {
-            if (!thisObject->canAccessIndexQuickly(i))
+            if (!thisObject->isMappedArgument(i))
                 continue;
             array.add(Identifier::from(exec, i));
@@ -119 +137 @@
     
     std::optional<uint32_t> index = parseIndex(ident);
-    if (index && thisObject->canAccessIndexQuickly(index.value())) {
+    if (index && thisObject->isMappedArgument(index.value())) {
         thisObject->setIndexQuickly(vm, index.value(), value);
         return true;
@@ -132 +150 @@
     Type* thisObject = jsCast<Type*>(cell);
     VM& vm = exec->vm();
-    
-    if (thisObject->canAccessIndexQuickly(index)) {
+
+    if (thisObject->isMappedArgument(index)) {
         thisObject->setIndexQuickly(vm, index, value);
         return true;
@@ -154 +172 @@
     
     std::optional<uint32_t> index = parseIndex(ident);
-    if (index && thisObject->canAccessIndexQuickly(index.value())) {
-        thisObject->overrideArgument(vm, index.value());
+    if (index && !thisObject->isModifiedArgumentDescriptor(index.value()) && thisObject->isMappedArgument(index.value())) {
+        thisObject->unmapArgument(vm, index.value());
+        thisObject->setModifiedArgumentDescriptor(vm, index.value());
         return true;
     }
@@ -167 +186 @@
     Type* thisObject = jsCast<Type*>(cell);
     VM& vm = exec->vm();
-    
-    if (thisObject->canAccessIndexQuickly(index)) {
-        thisObject->overrideArgument(vm, index);
-        return true;
-    }
-    
+
+    if (!thisObject->isModifiedArgumentDescriptor(index) && thisObject->isMappedArgument(index)) {
+        thisObject->unmapArgument(vm, index);
+        thisObject->setModifiedArgumentDescriptor(vm, index);
+        return true;
+    }
+
     return Base::deletePropertyByIndex(cell, exec, index);
 }
@@ -188 +208 @@
     else {
         std::optional<uint32_t> optionalIndex = parseIndex(ident);
-        if (optionalIndex && thisObject->canAccessIndexQuickly(optionalIndex.value())) {
+        if (optionalIndex) {
             uint32_t index = optionalIndex.value();
-            if (!descriptor.isAccessorDescriptor()) {
+            if (!descriptor.isAccessorDescriptor() && thisObject->isMappedArgument(optionalIndex.value())) {
                 // If the property is not deleted and we are using a non-accessor descriptor, then
                 // make sure that the aliased argument sees the value.
@@ -196 +216 @@
                     thisObject->setIndexQuickly(vm, index, descriptor.value());
             
-                // If the property is not deleted and we are using a non-accessor, writable
-                // descriptor, then we are done. The argument continues to be aliased. Note that we
-                // ignore the request to change enumerability. We appear to have always done so, in
-                // cases where the argument was still aliased.
-                // FIXME: https://bugs.webkit.org/show_bug.cgi?id=141952
-                if (descriptor.writable())
+                // If the property is not deleted and we are using a non-accessor, writable,
+                // configurable and enumerable descriptor and isn't modified, then we are done.
+                // The argument continues to be aliased.
+                if (descriptor.writable() && descriptor.configurable() && descriptor.enumerable() && !thisObject->isModifiedArgumentDescriptor(index))
                     return true;
+                
+                if (!thisObject->isModifiedArgumentDescriptor(index)) {
+                    // If it is a new entry, we need to put direct to initialize argument[i] descriptor properly
+                    JSValue value = thisObject->getIndexQuickly(index);
+                    ASSERT(value);
+                    object->putDirectMayBeIndex(exec, ident, value);
+                    
+                    thisObject->setModifiedArgumentDescriptor(vm, index);
+                }
             }
-        
-            // If the property is a non-deleted argument, then move it into the base object and
-            // then delete it.
-            JSValue value = thisObject->getIndexQuickly(index);
-            ASSERT(value);
-            object->putDirectMayBeIndex(exec, ident, value);
-            thisObject->overrideArgument(vm, index);
-        }
-    }
-    
+            
+            if (thisObject->isMappedArgument(index)) {
+                // Just unmap arguments if its descriptor contains {writable: false}.
+                // Check https://tc39.github.io/ecma262/#sec-createunmappedargumentsobject
+                // and https://tc39.github.io/ecma262/#sec-createmappedargumentsobject to verify that all data
+                // property from arguments object are {writable: true, configurable: true, enumerable: true} by default
+                if ((descriptor.writablePresent() && !descriptor.writable()) || descriptor.isAccessorDescriptor()) {
+                    if (!descriptor.isAccessorDescriptor()) {
+                        JSValue value = thisObject->getIndexQuickly(index);
+                        ASSERT(value);
+                        object->putDirectMayBeIndex(exec, ident, value);
+                    }
+                    thisObject->unmapArgument(vm, index);
+                    thisObject->setModifiedArgumentDescriptor(vm, index);
+                }
+            }
+        }
+    }
+
     // Now just let the normal object machinery do its thing.
     return Base::defineOwnProperty(object, exec, ident, descriptor, shouldThrow);
@@ -219 +255 @@
 
 template<typename Type>
+void GenericArguments<Type>::initModifiedArgumentsDescriptor(VM& vm, unsigned argsLength)
+{
+    RELEASE_ASSERT(!m_modifiedArgumentsDescriptor);
+
+    if (argsLength) {
+        void* backingStore = vm.heap.tryAllocateAuxiliary(this, WTF::roundUpToMultipleOf<8>(argsLength));
+        RELEASE_ASSERT(backingStore);
+        bool* modifiedArguments = static_cast<bool*>(backingStore);
+        m_modifiedArgumentsDescriptor.set(vm, this, modifiedArguments);
+        for (unsigned i = argsLength; i--;)
+            modifiedArguments[i] = false;
+    }
+}
+
+template<typename Type>
+void GenericArguments<Type>::initModifiedArgumentsDescriptorIfNecessary(VM& vm, unsigned argsLength)
+{
+    if (!m_modifiedArgumentsDescriptor)
+        initModifiedArgumentsDescriptor(vm, argsLength);
+}
+
+template<typename Type>
+void GenericArguments<Type>::setModifiedArgumentDescriptor(VM& vm, unsigned index, unsigned length)
+{
+    initModifiedArgumentsDescriptorIfNecessary(vm, length);
+    if (index < length)
+        m_modifiedArgumentsDescriptor.get()[index] = true;
+}
+
+template<typename Type>
+bool GenericArguments<Type>::isModifiedArgumentDescriptor(unsigned index, unsigned length)
+{
+    if (!m_modifiedArgumentsDescriptor)
+        return false;
+    if (index < length)
+        return m_modifiedArgumentsDescriptor.get()[index];
+    return false;
+}
+
+template<typename Type>
 void GenericArguments<Type>::copyToArguments(ExecState* exec, VirtualRegister firstElementDest, unsigned offset, unsigned length)
 {
@@ -226 +302 @@
     Type* thisObject = static_cast<Type*>(this);
     for (unsigned i = 0; i < length; ++i) {
-        if (thisObject->canAccessIndexQuickly(i + offset))
+        if (thisObject->isMappedArgument(i + offset))
             exec->r(firstElementDest + i) = thisObject->getIndexQuickly(i + offset);
         else {

trunk/Source/JavaScriptCore/runtime/ScopedArguments.cpp

@@ -112 +112 @@
             thisObject->overflowStorage(), thisObject->m_totalLength - thisObject->m_table->length());
     }
+
+    GenericArguments<ScopedArguments>::visitChildren(cell, visitor);
 }
 
@@ -136 +138 @@
 }
 
-void ScopedArguments::overrideArgument(VM& vm, uint32_t i)
+void ScopedArguments::unmapArgument(VM& vm, uint32_t i)
 {
     ASSERT_WITH_SECURITY_IMPLICATION(i < m_totalLength);

trunk/Source/JavaScriptCore/runtime/ScopedArguments.h

@@ -71 +71 @@
     }
     
-    bool canAccessIndexQuickly(uint32_t i) const
+    bool isMappedArgument(uint32_t i) const
     {
         if (i >= m_totalLength)
@@ -81 +81 @@
     }
 
-    bool canAccessArgumentIndexQuicklyInDFG(uint32_t i) const
+    bool isMappedArgumentInDFG(uint32_t i) const
     {
-        return canAccessIndexQuickly(i);
+        return isMappedArgument(i);
     }
     
     JSValue getIndexQuickly(uint32_t i) const
     {
-        ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
+        ASSERT_WITH_SECURITY_IMPLICATION(isMappedArgument(i));
         unsigned namedLength = m_table->length();
         if (i < namedLength)
@@ -97 +97 @@
     void setIndexQuickly(VM& vm, uint32_t i, JSValue value)
     {
-        ASSERT_WITH_SECURITY_IMPLICATION(canAccessIndexQuickly(i));
+        ASSERT_WITH_SECURITY_IMPLICATION(isMappedArgument(i));
         unsigned namedLength = m_table->length();
         if (i < namedLength)
@@ -109 +109 @@
         return m_callee;
     }
-    
+
     bool overrodeThings() const { return m_overrodeThings; }
     void overrideThings(VM&);
     void overrideThingsIfNecessary(VM&);
-    void overrideArgument(VM&, uint32_t index);
+    void unmapArgument(VM&, uint32_t index);
     
+    void initModifiedArgumentsDescriptorIfNecessary(VM& vm)
+    {
+        GenericArguments<ScopedArguments>::initModifiedArgumentsDescriptorIfNecessary(vm, m_table->length());
+    }
+
+    void setModifiedArgumentDescriptor(VM& vm, unsigned index)
+    {
+        GenericArguments<ScopedArguments>::setModifiedArgumentDescriptor(vm, index, m_table->length());
+    }
+
+    bool isModifiedArgumentDescriptor(unsigned index)
+    {
+        return GenericArguments<ScopedArguments>::isModifiedArgumentDescriptor(index, m_table->length());
+    }
+
     void copyToArguments(ExecState*, VirtualRegister firstElementDest, unsigned offset, unsigned length);