Changeset 249911 in webkit

Timestamp:

Sep 16, 2019 12:32:39 PM (5 years ago)

Author:

sbarati@apple.com

Message:

JSObject::putInlineSlow should not ignore "proto" for Proxy
​https://bugs.webkit.org/show_bug.cgi?id=200386
<rdar://problem/53854946>

Reviewed by Yusuke Suzuki.

JSTests:

• stress/proxy-proto-in-prototype-chain.js: Added.
• stress/proxy-property-replace-structure-transition.js: Added.

Source/JavaScriptCore:

We used to ignore 'proto' in putInlineSlow when the object in question
was Proxy. There is no reason for this, and it goes against the spec. So
I've removed that condition. This also has the effect that it fixes an
assertion firing inside our inline caching code which dictates that for a
property replace that the base value's structure must be equal to the
structure when we grabbed the structure prior to the put operation.
The old code caused a weird edge case where we broke this invariant.

• runtime/JSObject.cpp:

(JSC::JSObject::putInlineSlow):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/proxy-__proto__-in-prototype-chain.js (added)
• JSTests/stress/proxy-property-replace-structure-transition.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-09-16  Saam Barati  <sbarati@apple.com>
+
+        JSObject::putInlineSlow should not ignore "__proto__" for Proxy
+        https://bugs.webkit.org/show_bug.cgi?id=200386
+        <rdar://problem/53854946>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/proxy-__proto__-in-prototype-chain.js: Added.
+        * stress/proxy-property-replace-structure-transition.js: Added.
+
 2019-09-13  Alexey Shvayka  <shvaikalesh@gmail.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-09-16  Saam Barati  <sbarati@apple.com>
+
+        JSObject::putInlineSlow should not ignore "__proto__" for Proxy
+        https://bugs.webkit.org/show_bug.cgi?id=200386
+        <rdar://problem/53854946>
+
+        Reviewed by Yusuke Suzuki.
+
+        We used to ignore '__proto__' in putInlineSlow when the object in question
+        was Proxy. There is no reason for this, and it goes against the spec. So
+        I've removed that condition. This also has the effect that it fixes an
+        assertion firing inside our inline caching code which dictates that for a
+        property replace that the base value's structure must be equal to the
+        structure when we grabbed the structure prior to the put operation.
+        The old code caused a weird edge case where we broke this invariant.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putInlineSlow):
+
 2019-09-15  David Kilzer  <ddkilzer@apple.com>
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -685 +685 @@
     PropertyDescriptor ownDescriptor;
     while (true) {
-        if (current->type() == ProxyObjectType && propertyName != vm.propertyNames->underscoreProto) {
+        if (current->type() == ProxyObjectType) {
             ProxyObject* proxy = jsCast<ProxyObject*>(current);
             PutPropertySlot slot(receiver, shouldThrow);
@@ -829 +829 @@
             ASSERT(!(attributes & PropertyAttribute::Accessor));
 
-            // If there's an existing property on the object or one of its 
-            // prototypes it should be replaced, so break here.
+            // If there's an existing property on the base object, or on one of its 
+            // prototypes, we should store the property on the *base* object.
             break;
         }
@@ -839 +839 @@
             }
         }
-        if (obj->type() == ProxyObjectType && propertyName != vm.propertyNames->underscoreProto) {
+        if (obj->type() == ProxyObjectType) {
             // FIXME: We shouldn't unconditionally perform [[Set]] here.
             // We need to do more because this is observable behavior.