Changeset 246801 in webkit


Ignore:
Timestamp:
Jun 25, 2019 12:49:22 PM (5 years ago)
Author:
keith_miller@apple.com
Message:

Structure::create should call didBecomePrototype()
https://bugs.webkit.org/show_bug.cgi?id=196315

Reviewed by Filip Pizlo.

Structure::create should also assert that the indexing type makes sense
for the prototype being used.

  • runtime/JSObject.h:
  • runtime/Structure.cpp:

(JSC::Structure::isValidPrototype):
(JSC::Structure::changePrototypeTransition):

  • runtime/Structure.h:

(JSC::Structure::create): Deleted.

  • runtime/StructureInlines.h:

(JSC::Structure::create):
(JSC::Structure::setPrototypeWithoutTransition):

Location:
trunk/Source/JavaScriptCore
Files:
5 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r246798 r246801  
     12019-06-25  Keith Miller  <keith_miller@apple.com>
     2
     3        Structure::create should call didBecomePrototype()
     4        https://bugs.webkit.org/show_bug.cgi?id=196315
     5
     6        Reviewed by Filip Pizlo.
     7
     8        Structure::create should also assert that the indexing type makes sense
     9        for the prototype being used.
     10
     11        * runtime/JSObject.h:
     12        * runtime/Structure.cpp:
     13        (JSC::Structure::isValidPrototype):
     14        (JSC::Structure::changePrototypeTransition):
     15        * runtime/Structure.h:
     16        (JSC::Structure::create): Deleted.
     17        * runtime/StructureInlines.h:
     18        (JSC::Structure::create):
     19        (JSC::Structure::setPrototypeWithoutTransition):
     20
    1212019-06-25  Joseph Pecoraro  <pecoraro@apple.com>
    222

  • trunk/Source/JavaScriptCore/runtime/JSObject.h

    r242650 r246801  
    745745    bool isFrozen(VM& vm) { return structure(vm)->isFrozen(vm); }
    746746
    747     bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
     747    JS_EXPORT_PRIVATE bool anyObjectInChainMayInterceptIndexedAccesses(VM&) const;
    748748    JS_EXPORT_PRIVATE bool prototypeChainMayInterceptStoreTo(VM&, PropertyName);
    749749    bool needsSlowPutIndexing(VM&) const;

  • trunk/Source/JavaScriptCore/runtime/Structure.cpp

    r246780 r246801  
    322322}
    323323
     324bool Structure::isValidPrototype(JSValue prototype)
     325{
     326    return prototype.isNull() || (prototype.isObject() && prototype.getObject()->mayBePrototype());
     327}
     328
    324329void Structure::findStructuresAndMapForMaterialization(Vector<Structure*, 8>& structures, Structure*& structure, PropertyTable*& table)
    325330{
     
    545550Structure* Structure::changePrototypeTransition(VM& vm, Structure* structure, JSValue prototype, DeferredStructureTransitionWatchpointFire& deferred)
    546551{
    547     ASSERT(prototype.isObject() || prototype.isNull());
     552    ASSERT(isValidPrototype(prototype));
    548553
    549554    DeferGC deferGC(vm.heap);

  • trunk/Source/JavaScriptCore/runtime/Structure.h

    r246780 r246801  
    139139    }
    140140
     141    JS_EXPORT_PRIVATE static bool isValidPrototype(JSValue);
     142
    141143protected:
    142144    void finishCreation(VM& vm)
    143145    {
    144146        Base::finishCreation(vm);
    145         ASSERT(m_prototype.get().isEmpty() || m_prototype.isObject() || m_prototype.isNull());
     147        ASSERT(m_prototype.get().isEmpty() || isValidPrototype(m_prototype.get()));
    146148    }
    147149
     
    787789};
    788790
    789 // We deliberately put Structure::create here in Structure.h instead of StructureInlines.h, because
    790 // it is used everywhere. This is so we don't have to hunt down all the places where we would need
    791 // to #include StructureInlines.h otherwise.
    792 inline Structure* Structure::create(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
    793 {
    794     ASSERT(vm.structureStructure);
    795     ASSERT(classInfo);
    796     Structure* structure = new (NotNull, allocateCell<Structure>(vm.heap)) Structure(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
    797     structure->finishCreation(vm);
    798     return structure;
    799 }
    800 
    801791} // namespace JSC

  • trunk/Source/JavaScriptCore/runtime/StructureInlines.h

    r246780 r246801  
    3636namespace JSC {
    3737
     38inline Structure* Structure::create(VM& vm, JSGlobalObject* globalObject, JSValue prototype, const TypeInfo& typeInfo, const ClassInfo* classInfo, IndexingType indexingType, unsigned inlineCapacity)
     39{
     40    ASSERT(vm.structureStructure);
     41    ASSERT(classInfo);
     42    if (auto* object = prototype.getObject()) {
     43        ASSERT(!object->anyObjectInChainMayInterceptIndexedAccesses(vm) || hasSlowPutArrayStorage(indexingType) || !hasIndexedProperties(indexingType));
     44        object->didBecomePrototype();
     45    }
     46
     47    Structure* structure = new (NotNull, allocateCell<Structure>(vm.heap)) Structure(vm, globalObject, prototype, typeInfo, classInfo, indexingType, inlineCapacity);
     48    structure->finishCreation(vm);
     49    return structure;
     50}
     51
    3852inline Structure* Structure::createStructure(VM& vm)
    3953{
     
    494508ALWAYS_INLINE void Structure::setPrototypeWithoutTransition(VM& vm, JSValue prototype)
    495509{
     510    ASSERT(isValidPrototype(prototype));
    496511    m_prototype.set(vm, this, prototype);
    497512}
Note: See TracChangeset for help on using the changeset viewer.