This website requires JavaScript.
Explore
Help
Sign In
nephele
/
haikuwebkit
Watch
1
Star
0
Fork
You've already forked haikuwebkit
0
Code
Issues
Releases
Activity
haiku
haikuwebkit
/
LayoutTests
/
js
/
dom
/
put-override-should-not-use...
4 lines
65 B
Plaintext
Raw
Permalink
Normal View
History
Unescape
Escape
[JSC] Give up IC when unknown structure transition happens https://bugs.webkit.org/show_bug.cgi?id=206846 Reviewed by Mark Lam. JSTests: * stress/ensure-crash.js: Added. * stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior-bad-transition-debug.js: Added. (shouldBe): (putter): (not_string.toString): * stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior-bad-transition.js: Added. (shouldBe): (putter): (not_string.toString): * stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior.js: Added. (shouldBe): (putter): (not_string.toString): * stress/incorrect-put-could-generate-invalid-ic-involving-dictionary-flatten.js: Added. (shouldBe): (dictionary): (putter): (not_string.toString): Source/JavaScriptCore: When we are creating Put IC for a new property, we grab the old Structure before performing the put. For a custom ::put, our convention is that the implemented ::put should mark the PutPropertySlot as non-cachable. The IC code relies on this in order to work correctly. If we didn't mark it as non-cacheable, a semantic failure can happen. This patch hardens the code against this semantic failure case by giving up trying to cache the IC when the newStructure calculated from oldStructure does not match against the actual structure after the put operation. * jit/Repatch.cpp: (JSC::tryCachePutByID): (JSC::repatchPutByID): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): * tools/JSDollarVM.cpp: (JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus): (JSC::JSDollarVM::finishCreation): (JSC::JSDollarVM::visitChildren): * tools/JSDollarVM.h: Source/WebCore: IDL Code Generator should taint PutPropertySlot or taint implemented object to avoid Put IC caching when it implements custom ::put operation which has side-effect regardless of Structure. Otherwise, IC can be setup and IC can do fast path without consulting the custom ::put operation. Test: js/dom/put-override-should-not-use-ic.html * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h: * bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h: * bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h: * bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h: * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h: * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h: * bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h: * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h: * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h: * bindings/scripts/test/JS/JSTestPluginInterface.h: Tools: Add `crash!` annotation, which allows us to write a crashing JS test. * Scripts/run-jsc-stress-tests: * Scripts/webkitruby/jsc-stress-test-writer-default.rb: * Scripts/webkitruby/jsc-stress-test-writer-playstation.rb: * Scripts/webkitruby/jsc-stress-test-writer-ruby.rb: LayoutTests: * js/dom/put-override-should-not-use-ic-expected.txt: Added. * js/dom/put-override-should-not-use-ic.html: Added. Canonical link: https://commits.webkit.org/219959@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@255365 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-01-29 18:07:40 +00:00
Remove trailing spaces from expected.txt files (excluding WPT for now since that contains too many) https://bugs.webkit.org/show_bug.cgi?id=217016 Reviewed by Zalan Bujtas. Done with this command: find LayoutTests -name '*-expected.txt' | grep -v imported | xargs awk '/^CONSOLE MESSAGE:/ { next }; /^<\?xml/ { nextfile }; { print FILENAME; nextfile }' | xargs perl -i -pe 's/ +$//g' This affects many files, and it's not helpful to clog the change log with a list of them. Canonical link: https://commits.webkit.org/229803@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@267644 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-09-27 02:15:19 +00:00
PASS DOM object overriding ::put operation should not allow IC
[JSC] Give up IC when unknown structure transition happens https://bugs.webkit.org/show_bug.cgi?id=206846 Reviewed by Mark Lam. JSTests: * stress/ensure-crash.js: Added. * stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior-bad-transition-debug.js: Added. (shouldBe): (putter): (not_string.toString): * stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior-bad-transition.js: Added. (shouldBe): (putter): (not_string.toString): * stress/incorrect-put-could-generate-invalid-ic-but-still-not-causing-bad-behavior.js: Added. (shouldBe): (putter): (not_string.toString): * stress/incorrect-put-could-generate-invalid-ic-involving-dictionary-flatten.js: Added. (shouldBe): (dictionary): (putter): (not_string.toString): Source/JavaScriptCore: When we are creating Put IC for a new property, we grab the old Structure before performing the put. For a custom ::put, our convention is that the implemented ::put should mark the PutPropertySlot as non-cachable. The IC code relies on this in order to work correctly. If we didn't mark it as non-cacheable, a semantic failure can happen. This patch hardens the code against this semantic failure case by giving up trying to cache the IC when the newStructure calculated from oldStructure does not match against the actual structure after the put operation. * jit/Repatch.cpp: (JSC::tryCachePutByID): (JSC::repatchPutByID): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): * tools/JSDollarVM.cpp: (JSC::functionCreateObjectDoingSideEffectPutWithoutCorrectSlotStatus): (JSC::JSDollarVM::finishCreation): (JSC::JSDollarVM::visitChildren): * tools/JSDollarVM.h: Source/WebCore: IDL Code Generator should taint PutPropertySlot or taint implemented object to avoid Put IC caching when it implements custom ::put operation which has side-effect regardless of Structure. Otherwise, IC can be setup and IC can do fast path without consulting the custom ::put operation. Test: js/dom/put-override-should-not-use-ic.html * bindings/scripts/CodeGeneratorJS.pm: (GenerateHeader): * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.h: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.h: * bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.h: * bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.h: * bindings/scripts/test/JS/JSTestNamedSetterThrowingException.h: * bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.h: * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.h: * bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.h: * bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.h: * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.h: * bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.h: * bindings/scripts/test/JS/JSTestPluginInterface.h: Tools: Add `crash!` annotation, which allows us to write a crashing JS test. * Scripts/run-jsc-stress-tests: * Scripts/webkitruby/jsc-stress-test-writer-default.rb: * Scripts/webkitruby/jsc-stress-test-writer-playstation.rb: * Scripts/webkitruby/jsc-stress-test-writer-ruby.rb: LayoutTests: * js/dom/put-override-should-not-use-ic-expected.txt: Added. * js/dom/put-override-should-not-use-ic.html: Added. Canonical link: https://commits.webkit.org/219959@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@255365 268f45cc-cd09-0410-ab3c-d52691b4dbfc
2020-01-29 18:07:40 +00:00
