Changeset 258573 in webkit
- Timestamp:
- Mar 17, 2020 12:45:05 PM (4 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r258540 r258573 1 2020-03-17 Tadeu Zagallo <tzagallo@apple.com> 2 3 AccessCase::canReplace should allow a Getter to replace an IntrinsicGetter 4 https://bugs.webkit.org/show_bug.cgi?id=209158 5 <rdar://problem/59222012> 6 7 Reviewed by Saam Barati. 8 9 When we override an intrinsic getter with a user defined getter, we might end up with the 10 same offset and attributes. In which case, an inline cache that contained an entry for the 11 intrisic getter will believe that it is still valid, and add a new getter access case, 12 leading to duplicate entries for the same structure. 13 14 * bytecode/AccessCase.cpp: 15 (JSC::AccessCase::canReplace const): 16 1 17 2020-03-16 Yusuke Suzuki <ysuzuki@apple.com> 2 18 -
trunk/Source/JavaScriptCore/bytecode/AccessCase.cpp
r258427 r258573 588 588 if (m_identifier != other.m_identifier) 589 589 return false; 590 591 auto checkPolyProtoAndStructure = [&] { 592 if (m_polyProtoAccessChain) { 593 if (!other.m_polyProtoAccessChain) 594 return false; 595 // This is the only check we need since PolyProtoAccessChain contains the base structure. 596 // If we ever change it to contain only the prototype chain, we'll also need to change 597 // this to check the base structure. 598 return structure() == other.structure() 599 && *m_polyProtoAccessChain == *other.m_polyProtoAccessChain; 600 } 601 602 if (!guardedByStructureCheckSkippingConstantIdentifierCheck() || !other.guardedByStructureCheckSkippingConstantIdentifierCheck()) 603 return false; 604 605 return structure() == other.structure(); 606 }; 590 607 591 608 switch (type()) { … … 649 666 case Miss: 650 667 case GetGetter: 651 case Getter:652 668 case Setter: 653 669 case CustomValueGetter: … … 655 671 case CustomValueSetter: 656 672 case CustomAccessorSetter: 657 case IntrinsicGetter:658 673 case InHit: 659 674 case InMiss: … … 661 676 return false; 662 677 663 if (m_polyProtoAccessChain) { 664 if (!other.m_polyProtoAccessChain) 665 return false; 666 // This is the only check we need since PolyProtoAccessChain contains the base structure. 667 // If we ever change it to contain only the prototype chain, we'll also need to change 668 // this to check the base structure. 669 return structure() == other.structure() 670 && *m_polyProtoAccessChain == *other.m_polyProtoAccessChain; 671 } 672 673 if (!guardedByStructureCheckSkippingConstantIdentifierCheck() || !other.guardedByStructureCheckSkippingConstantIdentifierCheck()) 678 return checkPolyProtoAndStructure(); 679 680 case IntrinsicGetter: 681 case Getter: 682 if (other.type() != Getter && other.type() != IntrinsicGetter) 674 683 return false; 675 684 676 return structure() == other.structure();685 return checkPolyProtoAndStructure(); 677 686 } 678 687 RELEASE_ASSERT_NOT_REACHED();
Note: See TracChangeset
for help on using the changeset viewer.