Context Navigation

← Previous Changeset
Next Changeset →

Changeset 51976 in webkit

Timestamp:

Dec 10, 2009 6:22:07 PM (14 years ago)

Author:

oliver@apple.com

Message:

Incorrect caching of prototype lookup with dictionary base
https://bugs.webkit.org/show_bug.cgi?id=32402

Reviewed by Gavin Barraclough

Make sure we don't add cached prototype lookup to the proto_list
lookup chain if the top level object is a dictionary.

Location:

trunk

Files:

: 5 edited

JavaScriptCore/ChangeLog (modified) (1 diff)
JavaScriptCore/jit/JITStubs.cpp (modified) (4 diffs)
LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/js/dictionary-prototype-caching-expected.txt (modified) (1 diff)
LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/ChangeLog

-                      r51975
+                      r51976
+-12-10  Oliver Hunt  <oliver@apple.com>
+        Reviewed by Gavin Barraclough.
+        Incorrect caching of prototype lookup with dictionary base
+        https://bugs.webkit.org/show_bug.cgi?id=32402
+        Make sure we don't add cached prototype lookup to the proto_list
+        lookup chain if the top level object is a dictionary.
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCacheGetByID):
 -12-10  Gavin Barraclough  <barraclough@apple.com>

trunk/JavaScriptCore/jit/JITStubs.cpp

-                      r51975
+                      r51976
         stubInfo->initGetByIdProto(structure, slotBaseObject->structure());
+        ASSERT(!structure->isDictionary());
+        ASSERT(!slotBaseObject->structure()->isDictionary());
         JIT::compileGetByIdProto(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, slotBaseObject->structure(), slot.cachedOffset(), returnAddress);
         return;
 …
     CHECK_FOR_EXCEPTION();
     if (!baseValue.isCell() || !slot.isCacheable() || asCell(baseValue)->structure()->isUncacheableDictionary()) {
+    if (!baseValue.isCell() || !slot.isCacheable() || asCell(baseValue)->structure()->isDictionary()) {
         ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
         return JSValue::encode(result);
 …
         ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
     else if (slot.slotBase() == asCell(baseValue)->structure()->prototypeForLookup(callFrame)) {
+        ASSERT(!asCell(baseValue)->structure()->isDictionary());
         // Since we're accessing a prototype in a loop, it's a good bet that it
         // should not be treated as a dictionary.
 …
             ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full));
     } else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase())) {
+        ASSERT(!asCell(baseValue)->structure()->isDictionary());
         int listIndex;
         PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);

trunk/LayoutTests/ChangeLog

-                      r51973
+                      r51976
+-12-10  Oliver Hunt  <oliver@apple.com>
+        Reviewed by Gavin Barraclough.
+        Incorrect caching of prototype lookup with dictionary base
+        https://bugs.webkit.org/show_bug.cgi?id=32402
+        Adding test for prototype caching through a dictionary
+        * fast/js/dictionary-prototype-caching-expected.txt:
+        * fast/js/script-tests/dictionary-prototype-caching.js:
+        (testFunction):
 -12-10  Alexey Proskuryakov  <ap@apple.com>

trunk/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt

-                      r50707
+                      r51976
 PASS protoKeys is [1,2,3]
 PASS protoKeys is [1,2,3]
+PASS testFunction(subclass1) is true
+PASS testFunction(subclass2) is true
+PASS testFunction(subclass2) is true
 PASS successfullyParsed is true

trunk/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js

-                      r50704
+                      r51976
 shouldBe("protoKeys", "[1,2,3]");
+function testFunction(o) {
+    return o.test;
+}
+var proto = { test: true };
+var subclass1 = { __proto__: proto };
+var subclass2 = { __proto__: proto };
+for (var i = 0; i < 500; i++)
+    subclass2["a"+i]="a"+i;
+testFunction(subclass1);
+shouldBeTrue("testFunction(subclass1)");
+shouldBeTrue("testFunction(subclass2)");
+proto.test = false
+subclass2.test = true;
+shouldBeTrue("testFunction(subclass2)");
 successfullyParsed = true;

Note: See TracChangeset for help on using the changeset viewer.