Skip to content
Permalink
Browse files
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary…
… indexing mode always if attributes are present

https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>

Reviewed by Keith Miller.

JSTests:

* stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
(test1.o.get 10005):
(test1):
(test2.o.get 1000):
(test2):

Source/JavaScriptCore:

putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):


Canonical link: https://commits.webkit.org/198545@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@228454 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
Saam Barati committed Feb 14, 2018
1 parent e0c58d6 commit 93d3b7f123572c91e2bb37cfe842a27d5d0671d4
Showing with 71 additions and 19 deletions.
  1. +14 −0 JSTests/ChangeLog
  2. +29 −0 JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js
  3. +17 −0 Source/JavaScriptCore/ChangeLog
  4. +11 −19 Source/JavaScriptCore/runtime/JSObject.cpp
@@ -1,3 +1,17 @@
2018-02-13 Saam Barati <sbarati@apple.com>

putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>

Reviewed by Keith Miller.

* stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
(test1.o.get 10005):
(test1):
(test2.o.get 1000):
(test2):

2018-02-13 Caitlin Potter <caitp@igalia.com>

[JSC] cache TaggedTemplate arrays by callsite rather than by contents
@@ -0,0 +1,29 @@
function test1(item) {
var o = {
10000: item,
get 10005() { },
};
let arr = new Array(10008);
for (let key of arr.keys()) {
let o2 = {};
o[key] = o2;
}
}
test1({});
test1(10);
test1(10.5);

function test2(item) {
var o = {
0: item,
get 1000() { },
};
let arr = new Array(1000);
for (let key of arr.keys()) {
let o2 = {};
o[key] = o2;
}
}
test2({});
test2(10);
test2(10.5);
@@ -1,3 +1,20 @@
2018-02-13 Saam Barati <sbarati@apple.com>

putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>

Reviewed by Keith Miller.

putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):

2018-02-13 Saam Barati <sbarati@apple.com>

Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
@@ -2922,11 +2922,9 @@ bool JSObject::putDirectIndexSlowOrBeyondVectorLength(ExecState* exec, unsigned
}

case ALL_INT32_INDEXING_TYPES: {
if (attributes) {
if (i < m_butterfly->vectorLength())
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertInt32ToArrayStorage(vm));
}
ASSERT(!indexingShouldBeSparse());
if (attributes)
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
if (!value.isInt32()) {
convertInt32ForValue(vm, value);
return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2936,11 +2934,9 @@ bool JSObject::putDirectIndexSlowOrBeyondVectorLength(ExecState* exec, unsigned
}

case ALL_DOUBLE_INDEXING_TYPES: {
if (attributes) {
if (i < m_butterfly->vectorLength())
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertDoubleToArrayStorage(vm));
}
ASSERT(!indexingShouldBeSparse());
if (attributes)
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
if (!value.isNumber()) {
convertDoubleToContiguous(vm);
return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2955,20 +2951,16 @@ bool JSObject::putDirectIndexSlowOrBeyondVectorLength(ExecState* exec, unsigned
}

case ALL_CONTIGUOUS_INDEXING_TYPES: {
if (attributes) {
if (i < m_butterfly->vectorLength())
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertContiguousToArrayStorage(vm));
}
ASSERT(!indexingShouldBeSparse());
if (attributes)
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
putByIndexBeyondVectorLengthWithoutAttributes<ContiguousShape>(exec, i, value);
return true;
}

case ALL_ARRAY_STORAGE_INDEXING_TYPES:
if (attributes) {
if (i < m_butterfly->vectorLength())
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
}
if (attributes)
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, arrayStorage());

default:

0 comments on commit 93d3b7f

Please sign in to comment.