Changeset 218203 in webkit

Timestamp:

Jun 13, 2017 2:52:04 PM (7 years ago)

Author:

msaboff@apple.com

Message:

DFG doesn't properly handle a property that is change to read only in a prototype
​https://bugs.webkit.org/show_bug.cgi?id=173321

Reviewed by Filip Pizlo.

JSTests:

• ChakraCore.yaml: Renabled fieldopts/objtypespec-newobj-invalidation.1.js.
• stress/regress-173321.js: Added new regression test.

(shouldBe):
(SimpleObject):
(test):

Source/JavaScriptCore:

We need to check for ReadOnly as well as a not being a Setter when checking
an AbsenceOfSetter.

• bytecode/PropertyCondition.cpp:

(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):

Location:

trunk

Files:

• JSTests/ChakraCore.yaml (modified) (1 diff)
• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/regress-173321.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/PropertyCondition.cpp (modified) (1 diff)

trunk/JSTests/ChakraCore.yaml

@@ -2045 +2045 @@
   cmd: runChakra :baseline, "NoException", "objtypespec-newobj.2.baseline", []
 - path: ChakraCore/test/fieldopts/objtypespec-newobj-invalidation.1.js
-  # FIXME: Re-enable once flakiness is resolved (https://bugs.webkit.org/show_bug.cgi?id=162567)
-  cmd: runChakra :skip, "NoException", "objtypespec-newobj-invalidation.1.baseline", []
+  cmd: runChakra :baseline, "NoException", "objtypespec-newobj-invalidation.1.baseline", []
 - path: ChakraCore/test/fieldopts/objtypespec-newobj-invalidation.2.js
   # Different behavior when run on 32 bit JSC.

trunk/JSTests/ChangeLog

@@ +1 @@
+2017-06-13  Michael Saboff  <msaboff@apple.com>
+
+        DFG doesn't properly handle a property that is change to read only in a prototype
+        https://bugs.webkit.org/show_bug.cgi?id=173321
+
+        Reviewed by Filip Pizlo.
+
+        * ChakraCore.yaml: Renabled fieldopts/objtypespec-newobj-invalidation.1.js.
+        * stress/regress-173321.js: Added new regression test.
+        (shouldBe):
+        (SimpleObject):
+        (test):
+
 2017-06-12  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-06-13  Michael Saboff  <msaboff@apple.com>
+
+        DFG doesn't properly handle a property that is change to read only in a prototype
+        https://bugs.webkit.org/show_bug.cgi?id=173321
+
+        Reviewed by Filip Pizlo.
+
+        We need to check for ReadOnly as well as a not being a Setter when checking
+        an AbsenceOfSetter.
+
+        * bytecode/PropertyCondition.cpp:
+        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
+
 2017-06-13  Daniel Bates  <dabates@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

@@ -135 +135 @@
         PropertyOffset currentOffset = structure->getConcurrently(uid(), currentAttributes);
         if (currentOffset != invalidOffset) {
-            if (currentAttributes & (Accessor | CustomAccessor)) {
+            // FIXME: Given the addition of the check for ReadOnly attributes, we should refactor
+            // instances of AbsenceOfSetter.
+            // https://bugs.webkit.org/show_bug.cgi?id=173322 - Refactor AbsenceOfSetter to something like AbsenceOfSetEffects
+            if (currentAttributes & (ReadOnly | Accessor | CustomAccessor)) {
                 if (verbose) {
                     dataLog(