Changeset 258573 in webkit


Ignore:
Timestamp:
Mar 17, 2020 12:45:05 PM (4 years ago)
Author:
Tadeu Zagallo
Message:

AccessCase::canReplace should allow a Getter to replace an IntrinsicGetter
https://bugs.webkit.org/show_bug.cgi?id=209158
<rdar://problem/59222012>

Reviewed by Saam Barati.

When we override an intrinsic getter with a user defined getter, we might end up with the
same offset and attributes. In which case, an inline cache that contained an entry for the
intrisic getter will believe that it is still valid, and add a new getter access case,
leading to duplicate entries for the same structure.

  • bytecode/AccessCase.cpp:

(JSC::AccessCase::canReplace const):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r258540 r258573  
     12020-03-17  Tadeu Zagallo  <tzagallo@apple.com>
     2
     3        AccessCase::canReplace should allow a Getter to replace an IntrinsicGetter
     4        https://bugs.webkit.org/show_bug.cgi?id=209158
     5        <rdar://problem/59222012>
     6
     7        Reviewed by Saam Barati.
     8
     9        When we override an intrinsic getter with a user defined getter, we might end up with the
     10        same offset and attributes. In which case, an inline cache that contained an entry for the
     11        intrisic getter will believe that it is still valid, and add a new getter access case,
     12        leading to duplicate entries for the same structure.
     13
     14        * bytecode/AccessCase.cpp:
     15        (JSC::AccessCase::canReplace const):
     16
    1172020-03-16  Yusuke Suzuki  <ysuzuki@apple.com>
    218
  • trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp

    r258427 r258573  
    588588    if (m_identifier != other.m_identifier)
    589589        return false;
     590
     591    auto checkPolyProtoAndStructure = [&] {
     592        if (m_polyProtoAccessChain) {
     593            if (!other.m_polyProtoAccessChain)
     594                return false;
     595            // This is the only check we need since PolyProtoAccessChain contains the base structure.
     596            // If we ever change it to contain only the prototype chain, we'll also need to change
     597            // this to check the base structure.
     598            return structure() == other.structure()
     599                && *m_polyProtoAccessChain == *other.m_polyProtoAccessChain;
     600        }
     601
     602        if (!guardedByStructureCheckSkippingConstantIdentifierCheck() || !other.guardedByStructureCheckSkippingConstantIdentifierCheck())
     603            return false;
     604
     605        return structure() == other.structure();
     606    };
    590607   
    591608    switch (type()) {
     
    649666    case Miss:
    650667    case GetGetter:
    651     case Getter:
    652668    case Setter:
    653669    case CustomValueGetter:
     
    655671    case CustomValueSetter:
    656672    case CustomAccessorSetter:
    657     case IntrinsicGetter:
    658673    case InHit:
    659674    case InMiss:
     
    661676            return false;
    662677
    663         if (m_polyProtoAccessChain) {
    664             if (!other.m_polyProtoAccessChain)
    665                 return false;
    666             // This is the only check we need since PolyProtoAccessChain contains the base structure.
    667             // If we ever change it to contain only the prototype chain, we'll also need to change
    668             // this to check the base structure.
    669             return structure() == other.structure()
    670                 && *m_polyProtoAccessChain == *other.m_polyProtoAccessChain;
    671         }
    672 
    673         if (!guardedByStructureCheckSkippingConstantIdentifierCheck() || !other.guardedByStructureCheckSkippingConstantIdentifierCheck())
     678        return checkPolyProtoAndStructure();
     679
     680    case IntrinsicGetter:
     681    case Getter:
     682        if (other.type() != Getter && other.type() != IntrinsicGetter)
    674683            return false;
    675684
    676         return structure() == other.structure();
     685        return checkPolyProtoAndStructure();
    677686    }
    678687    RELEASE_ASSERT_NOT_REACHED();
Note: See TracChangeset for help on using the changeset viewer.