Context Navigation

← Previous Changeset
Next Changeset →

Changeset 246210 in webkit

Timestamp:

Jun 7, 2019 11:54:31 AM (5 years ago)

Author:

Tadeu Zagallo

Message:

AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
https://bugs.webkit.org/show_bug.cgi?id=198581
<rdar://problem/51099753>

Reviewed by Saam Barati.

JSTests:

stress/global-object-proto-getter.js: Added.

(f):
(test):

Source/JavaScriptCore:

For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
from the object, it gets the GetterSetter structure from the CodeBlock's global object.
However, that's not correct, since the global object for the base object might differ
from the CodeBlock's. Instead, we try to get the global object from the base, when it's
a constant object. Otherwise, we can't infer the value and only set the type.

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/global-object-proto-getter.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r246139
+                      r246210
+-06-07  Tadeu Zagallo  <tzagallo@apple.com>
+        AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
+        https://bugs.webkit.org/show_bug.cgi?id=198581
+        <rdar://problem/51099753>
+        Reviewed by Saam Barati.
+        * stress/global-object-proto-getter.js: Added.
+        (f):
+        (test):
 -06-05  Justin Michaud  <justin_michaud@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r246177
+                      r246210
+-06-07  Tadeu Zagallo  <tzagallo@apple.com>
+        AI should get GetterSetter structure from the base's GlobalObject for GetGetterSetterByOffset
+        https://bugs.webkit.org/show_bug.cgi?id=198581
+        <rdar://problem/51099753>
+        Reviewed by Saam Barati.
+        For GetGetterSetterByOffset, when the abstract interpreter fails to read the property
+        from the object, it gets the GetterSetter structure from the CodeBlock's global object.
+        However, that's not correct, since the global object for the base object might differ
+        from the CodeBlock's. Instead, we try to get the global object from the base, when it's
+        a constant object. Otherwise, we can't infer the value and only set the type.
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
 -06-06  Devin Rousso  <drousso@apple.com>

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

-                      r246073
+                      r246210
     case GetGetterSetterByOffset: {
         StorageAccessData& data = node->storageAccessData();
+        JSValue result = m_graph.tryGetConstantProperty(forNode(node->child2()), data.offset);
+        AbstractValue base = forNode(node->child2());
+        JSValue result = m_graph.tryGetConstantProperty(base, data.offset);
         if (result && jsDynamicCast<GetterSetter*>(m_vm, result)) {
             setConstant(node, *m_graph.freeze(result));
 …
+        }
+        setForNode(node, m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure());
+        if (base.value() && base.value().isObject()) {
+            setForNode(node, asObject(base.value())->globalObject()->getterSetterStructure());
+            break;
+        }
+        setTypeForNode(node, SpecObjectOther);
         break;
+    }

Note: See TracChangeset for help on using the changeset viewer.