Changeset 218836 in webkit

Timestamp:

Jun 27, 2017 10:43:03 AM (7 years ago)

Author:

Joseph Pecoraro

Message:

Web Inspector: Crash generating object preview for ArrayIterator
​https://bugs.webkit.org/show_bug.cgi?id=173754
<rdar://problem/32859012>

Reviewed by Saam Barati.

Source/JavaScriptCore:

When Inspector generates an object preview for an ArrayIterator instance it made
a "clone" of the original ArrayIterator instance by constructing a new object with
the instance's structure. However, user code could have modified that instance's
structure, such as adding / removing properties. The return property had special
meaning, and our clone did not fill that slot. This approach is brittle in that
we weren't satisfying the expectations of an object with a particular Structure,
and the original goal of having Web Inspector peek values of built-in Iterators
was to avoid observable behavior.

This tightens Web Inspector's Iterator preview to only peek values if the
Iterators would actually be non-observable. It also builds an ArrayIterator
clone like a regular object construction.

• inspector/JSInjectedScriptHost.cpp:

(Inspector::cloneArrayIteratorObject):
Build up the Object from scratch with a new ArrayIterator prototype.

(Inspector::JSInjectedScriptHost::iteratorEntries):
Only clone and peek iterators if it would not be observable.
Also update iteration to be more in line with IterationOperations, such as when
we call iteratorClose.

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::JSGlobalObject):
(JSC::JSGlobalObject::init):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):

• runtime/JSGlobalObjectInlines.h:

(JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.

• runtime/JSMap.cpp:

(JSC::JSMap::isIteratorProtocolFastAndNonObservable):
(JSC::JSMap::canCloneFastAndNonObservable):

• runtime/JSMap.h:
• runtime/JSSet.cpp:

(JSC::JSSet::isIteratorProtocolFastAndNonObservable):
(JSC::JSSet::canCloneFastAndNonObservable):

• runtime/JSSet.h:

Promote isIteratorProtocolFastAndNonObservable to a method.

• runtime/JSObject.cpp:

(JSC::canDoFastPutDirectIndex):

• runtime/JSTypeInfo.h:

(JSC::TypeInfo::isArgumentsType):
Helper to detect if an Object is an Arguments type.

LayoutTests:

• platform/mac/inspector/model/remote-object-expected.txt:
• inspector/model/remote-object-expected.txt:
• inspector/model/remote-object.html:

Test generating a preview for an ArrayIterator that has had a return property added to it.

• inspector/model/remote-object-mutated-iterators-expected.txt: Added.
• inspector/model/remote-object-mutated-iterators.html: Added.

Test generating a preview for different iterators after the IteratorPrototypes have been mutated.

• inspector/model/resources/remote-object-utilities.js: Added.

(runInBrowserTest):
(TestPage.registerInitializer):
(TestPage.registerInitializer.checkComplete):
(TestPage.registerInitializer.window.runSteps):
Share code for remote-object dump tests.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/inspector/model/remote-object-expected.txt (modified) (1 diff)
• LayoutTests/inspector/model/remote-object-mutated-iterators-expected.txt (added)
• LayoutTests/inspector/model/remote-object-mutated-iterators.html (added)
• LayoutTests/inspector/model/remote-object.html (modified) (3 diffs)
• LayoutTests/inspector/model/resources/remote-object-utilities.js (added)
• LayoutTests/platform/mac/inspector/model/remote-object-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp (modified) (6 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.cpp (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObject.h (modified) (4 diffs)
• Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSMap.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSMap.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSSet.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSSet.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSTypeInfo.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Crash generating object preview for ArrayIterator
+        https://bugs.webkit.org/show_bug.cgi?id=173754
+        <rdar://problem/32859012>
+
+        Reviewed by Saam Barati.
+
+        * platform/mac/inspector/model/remote-object-expected.txt:
+        * inspector/model/remote-object-expected.txt:
+        * inspector/model/remote-object.html:
+        Test generating a preview for an ArrayIterator that has had a `return` property added to it.
+
+        * inspector/model/remote-object-mutated-iterators-expected.txt: Added.
+        * inspector/model/remote-object-mutated-iterators.html: Added.
+        Test generating a preview for different iterators after the IteratorPrototypes have been mutated.
+
+        * inspector/model/resources/remote-object-utilities.js: Added.
+        (runInBrowserTest):
+        (TestPage.registerInitializer):
+        (TestPage.registerInitializer.checkComplete):
+        (TestPage.registerInitializer.window.runSteps):
+        Share code for remote-object dump tests.
+
 2017-06-27  Frederic Wang  <fwang@igalia.com>
 

trunk/LayoutTests/inspector/model/remote-object-expected.txt

@@ -3923 +3923 @@
 
 -----------------------------------------------------
+EXPRESSION: iter = [1, 2][Symbol.iterator](); iter['return'] = function(){}; iter
+{
+  "_type": "object",
+  "_subtype": "iterator",
+  "_objectId": "<filtered>",
+  "_description": "Array Iterator",
+  "_preview": {
+    "_type": "object",
+    "_subtype": "iterator",
+    "_description": "Array Iterator",
+    "_lossless": true,
+    "_overflow": false,
+    "_properties": [
+      {
+        "_name": "array",
+        "_type": "object",
+        "_subtype": "array",
+        "_valuePreview": {
+          "_type": "object",
+          "_subtype": "array",
+          "_description": "Array",
+          "_lossless": true,
+          "_overflow": false,
+          "_size": 2,
+          "_properties": [
+            {
+              "_name": "0",
+              "_type": "number",
+              "_value": "1"
+            },
+            {
+              "_name": "1",
+              "_type": "number",
+              "_value": "2"
+            }
+          ],
+          "_entries": null
+        },
+        "_internal": true
+      },
+      {
+        "_name": "kind",
+        "_type": "string",
+        "_value": "value",
+        "_internal": true
+      }
+    ],
+    "_entries": [
+      {
+        "_value": {
+          "_type": "number",
+          "_description": "1",
+          "_lossless": true,
+          "_overflow": false,
+          "_properties": null,
+          "_entries": null
+        }
+      },
+      {
+        "_value": {
+          "_type": "number",
+          "_description": "2",
+          "_lossless": true,
+          "_overflow": false,
+          "_properties": null,
+          "_entries": null
+        }
+      }
+    ]
+  }
+}
+
+-----------------------------------------------------
 EXPRESSION: new Promise(function(){})
 {

trunk/LayoutTests/inspector/model/remote-object.html

@@ -1 @@
-<!doctype html>
+<!DOCTYPE html>
 <html>
 <head>
-<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+<meta charset="utf-8">
 <script src="../../http/tests/inspector/resources/inspector-test.js"></script>
+<script src="resources/remote-object-utilities.js"></script>
 <script>
 function test()
 {
-    var currentStepIndex = 0;
-    var steps = [
+    let steps = [
     // Special:
 
@@ -160 +160 @@
         {expression: "map.entries()"},
         {expression: "x = undefined; (function() { x = arguments; })(1, 'two'); x[Symbol.iterator]()"},
+        {expression: "iter = [1, 2][Symbol.iterator](); iter['return'] = function(){}; iter"},
 
         // Promise
@@ -192 +193 @@
     }
 
-    function remoteObjectJSONFilter(key, value)
-    {
-        if (key === "_target" || key === "_hasChildren" || key === "_listeners")
-            return undefined;
-        if (key === "_objectId" || key === "_stackTrace")
-            return "<filtered>";
-        return value;
-    }
-
-    function runSteps() {
-
-        function afterStep() {
-            if (++currentStepIndex >= steps.length)
-                InspectorTest.completeTest();
-        }
-
-        function runStep(step) {
-            if (step.browserOnly) {
-                afterStep();
-                return;
-            }
-
-            WebInspector.runtimeManager.evaluateInInspectedWindow(step.expression, {objectGroup: "test", doNotPauseOnExceptionsAndMuteConsole: true, generatePreview: true}, function(remoteObject, wasThrown) {
-                InspectorTest.log("");
-                InspectorTest.log("-----------------------------------------------------");
-                InspectorTest.log("EXPRESSION: " + step.expression);
-                InspectorTest.assert(remoteObject instanceof WebInspector.RemoteObject);
-                InspectorTest.log(JSON.stringify(remoteObject, remoteObjectJSONFilter, "  "));
-                afterStep();
-            });
-        }
-
-        for (var step of steps)
-            runStep(step);
-    }
-
-    runSteps();
-}
-
-function runInBrowserTest()
-{
-    if (window.testRunner)
-        return;
- 
-    test(); // get steps.
-
-    for (var step of steps) {
-        console.info("EXPRESSION", step.expression);
-        try {
-            console.log(eval(step.expression));
-        } catch (e) {
-            console.log("EXCEPTION: " + e);
-        }
-    }
+    runSteps(steps);
 }
 </script>

trunk/LayoutTests/platform/mac/inspector/model/remote-object-expected.txt

@@ -3926 +3926 @@
 
 -----------------------------------------------------
+EXPRESSION: iter = [1, 2][Symbol.iterator](); iter['return'] = function(){}; iter
+{
+  "_type": "object",
+  "_subtype": "iterator",
+  "_objectId": "<filtered>",
+  "_description": "Array Iterator",
+  "_preview": {
+    "_type": "object",
+    "_subtype": "iterator",
+    "_description": "Array Iterator",
+    "_lossless": true,
+    "_overflow": false,
+    "_properties": [
+      {
+        "_name": "array",
+        "_type": "object",
+        "_subtype": "array",
+        "_valuePreview": {
+          "_type": "object",
+          "_subtype": "array",
+          "_description": "Array",
+          "_lossless": true,
+          "_overflow": false,
+          "_size": 2,
+          "_properties": [
+            {
+              "_name": "0",
+              "_type": "number",
+              "_value": "1"
+            },
+            {
+              "_name": "1",
+              "_type": "number",
+              "_value": "2"
+            }
+          ],
+          "_entries": null
+        },
+        "_internal": true
+      },
+      {
+        "_name": "kind",
+        "_type": "string",
+        "_value": "value",
+        "_internal": true
+      }
+    ],
+    "_entries": [
+      {
+        "_value": {
+          "_type": "number",
+          "_description": "1",
+          "_lossless": true,
+          "_overflow": false,
+          "_properties": null,
+          "_entries": null
+        }
+      },
+      {
+        "_value": {
+          "_type": "number",
+          "_description": "2",
+          "_lossless": true,
+          "_overflow": false,
+          "_properties": null,
+          "_entries": null
+        }
+      }
+    ]
+  }
+}
+
+-----------------------------------------------------
 EXPRESSION: new Promise(function(){})
 {

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Web Inspector: Crash generating object preview for ArrayIterator
+        https://bugs.webkit.org/show_bug.cgi?id=173754
+        <rdar://problem/32859012>
+
+        Reviewed by Saam Barati.
+
+        When Inspector generates an object preview for an ArrayIterator instance it made
+        a "clone" of the original ArrayIterator instance by constructing a new object with
+        the instance's structure. However, user code could have modified that instance's
+        structure, such as adding / removing properties. The `return` property had special
+        meaning, and our clone did not fill that slot. This approach is brittle in that
+        we weren't satisfying the expectations of an object with a particular Structure,
+        and the original goal of having Web Inspector peek values of built-in Iterators
+        was to avoid observable behavior.
+
+        This tightens Web Inspector's Iterator preview to only peek values if the
+        Iterators would actually be non-observable. It also builds an ArrayIterator
+        clone like a regular object construction.
+
+        * inspector/JSInjectedScriptHost.cpp:
+        (Inspector::cloneArrayIteratorObject):
+        Build up the Object from scratch with a new ArrayIterator prototype.
+
+        (Inspector::JSInjectedScriptHost::iteratorEntries):
+        Only clone and peek iterators if it would not be observable.
+        Also update iteration to be more in line with IterationOperations, such as when
+        we call iteratorClose.
+
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::JSGlobalObject):
+        (JSC::JSGlobalObject::init):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
+        * runtime/JSGlobalObjectInlines.h:
+        (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
+        Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
+
+        * runtime/JSMap.cpp:
+        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
+        (JSC::JSMap::canCloneFastAndNonObservable):
+        * runtime/JSMap.h:
+        * runtime/JSSet.cpp:
+        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
+        (JSC::JSSet::canCloneFastAndNonObservable):
+        * runtime/JSSet.h:
+        Promote isIteratorProtocolFastAndNonObservable to a method.
+
+        * runtime/JSObject.cpp:
+        (JSC::canDoFastPutDirectIndex):
+        * runtime/JSTypeInfo.h:
+        (JSC::TypeInfo::isArgumentsType):
+        Helper to detect if an Object is an Arguments type.
+
 2017-06-26  Saam Barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/inspector/JSInjectedScriptHost.cpp

@@ -27 +27 @@
 #include "JSInjectedScriptHost.h"
 
+#include "ArrayIteratorPrototype.h"
 #include "BuiltinNames.h"
 #include "Completion.h"
@@ -34 +35 @@
 #include "InjectedScriptHost.h"
 #include "IteratorOperations.h"
+#include "IteratorPrototype.h"
 #include "JSArray.h"
 #include "JSBoundFunction.h"
@@ -358 +360 @@
         return array;
     }
-        
+
     if (JSSetIterator* setIterator = jsDynamicCast<JSSetIterator*>(vm, value)) {
         String kind;
@@ -509 +511 @@
 }
 
-static JSObject* cloneArrayIteratorObject(ExecState* exec, VM& vm, JSObject* iteratorObject, JSValue nextIndex)
+static JSObject* cloneArrayIteratorObject(ExecState* exec, VM& vm, JSObject* iteratorObject, JSGlobalObject* globalObject, JSValue nextIndex, JSValue iteratedObject)
 {
     ASSERT(iteratorObject->type() == FinalObjectType);
-    JSObject* clone = constructEmptyObject(exec, iteratorObject->structure());
+    JSObject* clone = constructEmptyObject(exec, ArrayIteratorPrototype::create(vm, globalObject, ArrayIteratorPrototype::createStructure(vm, globalObject, globalObject->iteratorPrototype())));
+    clone->putDirect(vm, vm.propertyNames->builtinNames().iteratedObjectPrivateName(), iteratedObject);
+    clone->putDirect(vm, vm.propertyNames->builtinNames().arrayIteratorKindPrivateName(), iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().arrayIteratorKindPrivateName()));
     clone->putDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextIndexPrivateName(), nextIndex);
-    clone->putDirect(vm, vm.propertyNames->builtinNames().iteratedObjectPrivateName(), iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().iteratedObjectPrivateName()));
+    clone->putDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextPrivateName(), iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextPrivateName()));
     clone->putDirect(vm, vm.propertyNames->builtinNames().arrayIteratorIsDonePrivateName(), iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().arrayIteratorIsDonePrivateName()));
-    clone->putDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextPrivateName(), iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextPrivateName()));
     return clone;
 }
@@ -527 +530 @@
     VM& vm = exec->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
+
     JSValue iterator;
-    JSValue value = exec->uncheckedArgument(0);
-    if (JSMapIterator* mapIterator = jsDynamicCast<JSMapIterator*>(vm, value))
-        iterator = mapIterator->clone(exec);
-    else if (JSSetIterator* setIterator = jsDynamicCast<JSSetIterator*>(vm, value))
-        iterator = setIterator->clone(exec);
-    else if (JSStringIterator* stringIterator = jsDynamicCast<JSStringIterator*>(vm, value))
-        iterator = stringIterator->clone(exec);
-    else {
-        if (JSObject* iteratorObject = jsDynamicCast<JSObject*>(vm, value)) {
-            // Array Iterators are created in JS for performance reasons. Thus the only way to know we have one is to
-            // look for a property that is unique to them.
-            if (JSValue nextIndex = iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextIndexPrivateName()))
-                iterator = cloneArrayIteratorObject(exec, vm, iteratorObject, nextIndex);
-        }
-    }
+    JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+    JSValue value = exec->uncheckedArgument(0);
+    if (JSMapIterator* mapIterator = jsDynamicCast<JSMapIterator*>(vm, value)) {
+        if (jsCast<JSMap*>(mapIterator->iteratedValue())->isIteratorProtocolFastAndNonObservable())
+            iterator = mapIterator->clone(exec);
+    } else if (JSSetIterator* setIterator = jsDynamicCast<JSSetIterator*>(vm, value)) {
+        if (jsCast<JSSet*>(setIterator->iteratedValue())->isIteratorProtocolFastAndNonObservable())
+            iterator = setIterator->clone(exec);
+    } else if (JSStringIterator* stringIterator = jsDynamicCast<JSStringIterator*>(vm, value)) {
+        if (globalObject->isStringPrototypeIteratorProtocolFastAndNonObservable())
+            iterator = stringIterator->clone(exec);
+    } else if (JSObject* iteratorObject = jsDynamicCast<JSObject*>(vm, value)) {
+        // Detect an ArrayIterator by checking for one of its unique private properties.
+        if (JSValue nextIndex = iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().arrayIteratorNextIndexPrivateName())) {
+            JSValue iteratedObject = iteratorObject->getDirect(vm, vm.propertyNames->builtinNames().iteratedObjectPrivateName());
+            if (isJSArray(iteratedObject)) {
+                JSArray* array = jsCast<JSArray*>(iteratedObject);
+                if (array->isIteratorProtocolFastAndNonObservable())
+                    iterator = cloneArrayIteratorObject(exec, vm, iteratorObject, globalObject, nextIndex, iteratedObject);
+            } else if (iteratedObject.isObject() && TypeInfo::isArgumentsType(asObject(iteratedObject)->type())) {
+                if (globalObject->isArrayPrototypeIteratorProtocolFastAndNonObservable())
+                    iterator = cloneArrayIteratorObject(exec, vm, iteratorObject, globalObject, nextIndex, iteratedObject);
+            }
+        }
+    }
+    RETURN_IF_EXCEPTION(scope, { });
     if (!iterator)
         return jsUndefined();
@@ -549 +564 @@
     JSValue numberToFetchArg = exec->argument(1);
     double fetchDouble = numberToFetchArg.toInteger(exec);
+    RETURN_IF_EXCEPTION(scope, { });
     if (fetchDouble >= 0)
         numberToFetch = static_cast<unsigned>(fetchDouble);
 
     JSArray* array = constructEmptyArray(exec, nullptr);
-    RETURN_IF_EXCEPTION(scope, JSValue());
+    RETURN_IF_EXCEPTION(scope, { });
 
     for (unsigned i = 0; i < numberToFetch; ++i) {
         JSValue next = iteratorStep(exec, iterator);
-        if (UNLIKELY(scope.exception()))
-            break;
-        if (next.isFalse())
+        if (UNLIKELY(scope.exception()) || next.isFalse())
             break;
 
         JSValue nextValue = iteratorValue(exec, next);
-        if (UNLIKELY(scope.exception()))
-            break;
+        RETURN_IF_EXCEPTION(scope, { });
 
         JSObject* entry = constructEmptyObject(exec);
         entry->putDirect(exec->vm(), Identifier::fromString(exec, "value"), nextValue);
         array->putDirectIndex(exec, i, entry);
-        if (UNLIKELY(scope.exception()))
-            break;
-    }
-
-    iteratorClose(exec, iterator);
+        if (UNLIKELY(scope.exception())) {
+            scope.release();
+            iteratorClose(exec, iterator);
+            break;
+        }
+    }
 
     return array;

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -327 +327 @@
     , m_mapIteratorProtocolWatchpoint(IsWatched)
     , m_setIteratorProtocolWatchpoint(IsWatched)
+    , m_stringIteratorProtocolWatchpoint(IsWatched)
     , m_mapSetWatchpoint(IsWatched)
     , m_setAddWatchpoint(IsWatched)
@@ -938 +939 @@
             m_arrayIteratorPrototypeNext->install();
         }
-
         {
             ObjectPropertyCondition condition = setupAdaptiveWatchpoint(this->arrayPrototype(), m_vm.propertyNames->iteratorSymbol);
@@ -950 +950 @@
             m_mapIteratorPrototypeNextWatchpoint->install();
         }
-
         {
             ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_mapPrototype.get(), m_vm.propertyNames->iteratorSymbol);
@@ -962 +961 @@
             m_setIteratorPrototypeNextWatchpoint->install();
         }
-
         {
             ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_setPrototype.get(), m_vm.propertyNames->iteratorSymbol);
             m_setPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(vm, condition, m_setIteratorProtocolWatchpoint);
             m_setPrototypeSymbolIteratorWatchpoint->install();
+        }
+
+        {
+            ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_stringIteratorPrototype.get(), m_vm.propertyNames->next);
+            m_stringIteratorPrototypeNextWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(vm, condition, m_stringIteratorProtocolWatchpoint);
+            m_stringIteratorPrototypeNextWatchpoint->install();
+        }
+        {
+            ObjectPropertyCondition condition = setupAdaptiveWatchpoint(m_stringPrototype.get(), m_vm.propertyNames->iteratorSymbol);
+            m_stringPrototypeSymbolIteratorWatchpoint = std::make_unique<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>>(vm, condition, m_stringIteratorProtocolWatchpoint);
+            m_stringPrototypeSymbolIteratorWatchpoint->install();
         }
 

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -409 +409 @@
     InlineWatchpointSet& mapIteratorProtocolWatchpoint() { return m_mapIteratorProtocolWatchpoint; }
     InlineWatchpointSet& setIteratorProtocolWatchpoint() { return m_setIteratorProtocolWatchpoint; }
+    InlineWatchpointSet& stringIteratorProtocolWatchpoint() { return m_stringIteratorProtocolWatchpoint; }
     InlineWatchpointSet& mapSetWatchpoint() { return m_mapSetWatchpoint; }
     InlineWatchpointSet& setAddWatchpoint() { return m_setAddWatchpoint; }
@@ -417 +418 @@
     InlineWatchpointSet m_mapIteratorProtocolWatchpoint;
     InlineWatchpointSet m_setIteratorProtocolWatchpoint;
+    InlineWatchpointSet m_stringIteratorProtocolWatchpoint;
     InlineWatchpointSet m_mapSetWatchpoint;
     InlineWatchpointSet m_setAddWatchpoint;
@@ -426 +428 @@
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeSymbolIteratorWatchpoint;
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setIteratorPrototypeNextWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringPrototypeSymbolIteratorWatchpoint;
+    std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_stringIteratorPrototypeNextWatchpoint;
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_mapPrototypeSetWatchpoint;
     std::unique_ptr<ObjectPropertyChangeAdaptiveWatchpoint<InlineWatchpointSet>> m_setPrototypeAddWatchpoint;
@@ -432 +436 @@
     bool isMapPrototypeIteratorProtocolFastAndNonObservable();
     bool isSetPrototypeIteratorProtocolFastAndNonObservable();
+    bool isStringPrototypeIteratorProtocolFastAndNonObservable();
     bool isMapPrototypeSetFastAndNonObservable();
     bool isSetPrototypeAddFastAndNonObservable();

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h

@@ -83 +83 @@
 }
 
+ALWAYS_INLINE bool JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable()
+{
+    return stringIteratorProtocolWatchpoint().isStillValid();
+}
+
 ALWAYS_INLINE bool JSGlobalObject::isMapPrototypeSetFastAndNonObservable()
 {

trunk/Source/JavaScriptCore/runtime/JSMap.cpp

@@ -46 +46 @@
 }
 
+bool JSMap::isIteratorProtocolFastAndNonObservable()
+{
+    JSGlobalObject* globalObject = this->globalObject();
+    if (!globalObject->isMapPrototypeIteratorProtocolFastAndNonObservable())
+        return false;
+
+    Structure* structure = this->structure();
+    // This is the fast case. Many maps will be an original map.
+    if (structure == globalObject->mapStructure())
+        return true;
+
+    if (structure->storedPrototype() != globalObject->mapPrototype())
+        return false;
+
+    if (getDirectOffset(globalObject->vm(), globalObject->vm().propertyNames->iteratorSymbol) != invalidOffset)
+        return false;
+
+    return true;
+}
+
 bool JSMap::canCloneFastAndNonObservable(Structure* structure)
 {
-    auto isIteratorProtocolFastAndNonObservable = [&] () {
-        JSGlobalObject* globalObject = this->globalObject();
-        if (!globalObject->isMapPrototypeIteratorProtocolFastAndNonObservable())
-            return false;
-
-        Structure* structure = this->structure();
-        // This is the fast case. Many maps will be an original map.
-        if (structure == globalObject->mapStructure())
-            return true;
-
-        if (structure->storedPrototype() != globalObject->mapPrototype())
-            return false;
-
-        if (getDirectOffset(globalObject->vm(), globalObject->vm().propertyNames->iteratorSymbol) != invalidOffset)
-            return false;
-
-        return true;
-    };
-
     auto setFastAndNonObservable = [&] (Structure* structure) {
         JSGlobalObject* globalObject = structure->globalObject();

trunk/Source/JavaScriptCore/runtime/JSMap.h

@@ -57 +57 @@
     }
 
+    bool isIteratorProtocolFastAndNonObservable();
     bool canCloneFastAndNonObservable(Structure*);
     JSMap* clone(ExecState*, VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -2363 +2363 @@
     return isJSArray(object)
         || isJSFinalObject(object)
-        || object->type() == DirectArgumentsType
-        || object->type() == ScopedArgumentsType
-        || object->type() == ClonedArgumentsType;
+        || TypeInfo::isArgumentsType(object->type());
 }
 

trunk/Source/JavaScriptCore/runtime/JSSet.cpp

@@ -46 +46 @@
 }
 
+bool JSSet::isIteratorProtocolFastAndNonObservable()
+{
+    JSGlobalObject* globalObject = this->globalObject();
+    if (!globalObject->isSetPrototypeIteratorProtocolFastAndNonObservable())
+        return false;
+
+    Structure* structure = this->structure();
+    // This is the fast case. Many sets will be an original set.
+    if (structure == globalObject->setStructure())
+        return true;
+
+    if (structure->storedPrototype() != globalObject->jsSetPrototype())
+        return false;
+
+    if (getDirectOffset(globalObject->vm(), globalObject->vm().propertyNames->iteratorSymbol) != invalidOffset)
+        return false;
+
+    return true;
+}
+
 bool JSSet::canCloneFastAndNonObservable(Structure* structure)
 {
-    auto isIteratorProtocolFastAndNonObservable = [&] () {
-        JSGlobalObject* globalObject = this->globalObject();
-        if (!globalObject->isSetPrototypeIteratorProtocolFastAndNonObservable())
-            return false;
-
-        Structure* structure = this->structure();
-        // This is the fast case. Many sets will be an original set.
-        if (structure == globalObject->setStructure())
-            return true;
-
-        if (structure->storedPrototype() != globalObject->jsSetPrototype())
-            return false;
-
-        if (getDirectOffset(globalObject->vm(), globalObject->vm().propertyNames->iteratorSymbol) != invalidOffset)
-            return false;
-
-        return true;
-    };
-
     auto addFastAndNonObservable = [&] (Structure* structure) {
         JSGlobalObject* globalObject = structure->globalObject();

trunk/Source/JavaScriptCore/runtime/JSSet.h

@@ -53 +53 @@
     }
 
+    bool isIteratorProtocolFastAndNonObservable();
     bool canCloneFastAndNonObservable(Structure*);
     JSSet* clone(ExecState*, VM&, Structure*);

trunk/Source/JavaScriptCore/runtime/JSTypeInfo.h

@@ -95 +95 @@
     bool interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero() const { return isSetOnFlags2(InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero); }
 
+    static bool isArgumentsType(JSType type)
+    {
+        return type == DirectArgumentsType
+            || type == ScopedArgumentsType
+            || type == ClonedArgumentsType;
+    }
+
     static ptrdiff_t flagsOffset()
     {