From feeb214a1d78006d050a4dfd8caba2606d2e8161 Mon Sep 17 00:00:00 2001 From: Commit Queue Date: Thu, 27 Apr 2023 11:14:26 -0700 Subject: [PATCH] Unreviewed, reverting r263443@main. https://bugs.webkit.org/show_bug.cgi?id=256050 Speedometer2.1 is failing Reverted changeset: "[JSC] Skip ProxyObject's ICs trap result validation in the common case" https://bugs.webkit.org/show_bug.cgi?id=255661 https://commits.webkit.org/263443@main Canonical link: https://commits.webkit.org/263461@main --- .../microbenchmarks/proxy-get-miss-handler.js | 2 -- JSTests/microbenchmarks/proxy-get.js | 2 -- JSTests/microbenchmarks/proxy-has-hit.js | 2 +- .../microbenchmarks/proxy-has-miss-handler.js | 2 +- JSTests/microbenchmarks/proxy-has-miss.js | 2 +- .../microbenchmarks/proxy-set-miss-handler.js | 2 +- JSTests/microbenchmarks/proxy-set.js | 2 +- Source/JavaScriptCore/builtins/BuiltinNames.h | 3 +- .../JavaScriptCore/builtins/ProxyHelpers.js | 21 +++++------ .../bytecode/BytecodeIntrinsicRegistry.h | 2 -- .../JavaScriptCore/bytecode/BytecodeList.rb | 7 ---- .../bytecode/BytecodeUseDef.cpp | 2 -- .../bytecode/LinkTimeConstant.h | 3 +- .../bytecompiler/BytecodeGenerator.cpp | 6 ---- .../bytecompiler/BytecodeGenerator.h | 1 - .../bytecompiler/NodesCodegen.cpp | 18 ---------- .../dfg/DFGAbstractInterpreterInlines.h | 12 ------- .../JavaScriptCore/dfg/DFGByteCodeParser.cpp | 7 ---- Source/JavaScriptCore/dfg/DFGClobberize.h | 4 --- .../dfg/DFGConstantFoldingPhase.cpp | 29 --------------- Source/JavaScriptCore/dfg/DFGDoesGC.cpp | 1 - Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 5 --- Source/JavaScriptCore/dfg/DFGGraph.cpp | 2 -- Source/JavaScriptCore/dfg/DFGNode.h | 11 ------ Source/JavaScriptCore/dfg/DFGNodeType.h | 1 - .../dfg/DFGPredictionPropagationPhase.cpp | 1 - Source/JavaScriptCore/dfg/DFGSafeToExecute.h | 1 - .../JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 14 -------- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h | 1 - .../dfg/DFGSpeculativeJIT32_64.cpp | 5 --- .../dfg/DFGSpeculativeJIT64.cpp | 5 --- Source/JavaScriptCore/ftl/FTLCapabilities.cpp | 1 - Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 11 ------ Source/JavaScriptCore/jit/JIT.cpp | 1 - Source/JavaScriptCore/jit/JIT.h | 1 - Source/JavaScriptCore/jit/JITOpcodes.cpp | 15 -------- .../JavaScriptCore/llint/LLIntSlowPaths.cpp | 12 ------- Source/JavaScriptCore/llint/LLIntSlowPaths.h | 1 - .../llint/LowLevelInterpreter32_64.asm | 2 -- .../llint/LowLevelInterpreter64.asm | 11 ------ .../JavaScriptCore/runtime/JSGlobalObject.cpp | 8 +++-- .../runtime/JSGlobalObjectFunctions.cpp | 21 ++++++++--- .../runtime/JSGlobalObjectFunctions.h | 3 +- Source/JavaScriptCore/runtime/JSGlobalProxy.h | 2 +- Source/JavaScriptCore/runtime/JSTypeInfo.h | 2 -- Source/JavaScriptCore/runtime/PropertySlot.h | 1 - Source/JavaScriptCore/runtime/ProxyObject.cpp | 25 +++++++------ Source/JavaScriptCore/runtime/ProxyObject.h | 4 +-- Source/JavaScriptCore/runtime/Structure.cpp | 35 ++++--------------- Source/JavaScriptCore/runtime/Structure.h | 27 +------------- .../JavaScriptCore/runtime/StructureInlines.h | 10 ------ .../wasm/js/WebAssemblyGCObjectBase.h | 2 +- .../bindings/js/JSDOMWindowProperties.h | 2 +- 53 files changed, 65 insertions(+), 308 deletions(-) diff --git a/JSTests/microbenchmarks/proxy-get-miss-handler.js b/JSTests/microbenchmarks/proxy-get-miss-handler.js index 9436eec99855..38d56b3a41d9 100644 --- a/JSTests/microbenchmarks/proxy-get-miss-handler.js +++ b/JSTests/microbenchmarks/proxy-get-miss-handler.js @@ -1,6 +1,4 @@ -(function() { var proxy = new Proxy({}, {}); for (var i = 0; i < 1e7; ++i) proxy.test; -})(); diff --git a/JSTests/microbenchmarks/proxy-get.js b/JSTests/microbenchmarks/proxy-get.js index b52050fd2d75..b41bd9bb9347 100644 --- a/JSTests/microbenchmarks/proxy-get.js +++ b/JSTests/microbenchmarks/proxy-get.js @@ -1,4 +1,3 @@ -(function() { var proxy = new Proxy({}, { get(target, propertyName, receiver) { return 42; @@ -7,4 +6,3 @@ var proxy = new Proxy({}, { for (var i = 0; i < 1e7; ++i) proxy.test; -})(); diff --git a/JSTests/microbenchmarks/proxy-has-hit.js b/JSTests/microbenchmarks/proxy-has-hit.js index db956684387c..9a385d59adec 100644 --- a/JSTests/microbenchmarks/proxy-has-hit.js +++ b/JSTests/microbenchmarks/proxy-has-hit.js @@ -6,6 +6,6 @@ }); var has; - for (var i = 0; i < 1e7; ++i) + for (var i = 0; i < 1e6; ++i) has = "test" in proxy; })(); diff --git a/JSTests/microbenchmarks/proxy-has-miss-handler.js b/JSTests/microbenchmarks/proxy-has-miss-handler.js index 25c07dfdbdb7..89e87e1b521a 100644 --- a/JSTests/microbenchmarks/proxy-has-miss-handler.js +++ b/JSTests/microbenchmarks/proxy-has-miss-handler.js @@ -2,6 +2,6 @@ var proxy = new Proxy({}, {}); var has; - for (var i = 0; i < 1e7; ++i) + for (var i = 0; i < 1e6; ++i) has = "test" in proxy; })(); diff --git a/JSTests/microbenchmarks/proxy-has-miss.js b/JSTests/microbenchmarks/proxy-has-miss.js index e327e62f4ef0..94c4ca6e9bd0 100644 --- a/JSTests/microbenchmarks/proxy-has-miss.js +++ b/JSTests/microbenchmarks/proxy-has-miss.js @@ -6,6 +6,6 @@ }); var has; - for (var i = 0; i < 1e7; ++i) + for (var i = 0; i < 1e6; ++i) has = "test" in proxy; })(); diff --git a/JSTests/microbenchmarks/proxy-set-miss-handler.js b/JSTests/microbenchmarks/proxy-set-miss-handler.js index 036c8fc54aec..1a5f931a8691 100644 --- a/JSTests/microbenchmarks/proxy-set-miss-handler.js +++ b/JSTests/microbenchmarks/proxy-set-miss-handler.js @@ -1,6 +1,6 @@ (function() { var proxy = new Proxy({}, {}); - for (var i = 0; i < 1e7; ++i) + for (var i = 0; i < 1e6; ++i) proxy.test = i; })(); diff --git a/JSTests/microbenchmarks/proxy-set.js b/JSTests/microbenchmarks/proxy-set.js index 6d6d83c12a7a..537cbb81f57b 100644 --- a/JSTests/microbenchmarks/proxy-set.js +++ b/JSTests/microbenchmarks/proxy-set.js @@ -5,6 +5,6 @@ } }); - for (var i = 0; i < 1e7; ++i) + for (var i = 0; i < 1e6; ++i) proxy.test = i; })(); diff --git a/Source/JavaScriptCore/builtins/BuiltinNames.h b/Source/JavaScriptCore/builtins/BuiltinNames.h index 715f729b4480..f72f098a1139 100644 --- a/Source/JavaScriptCore/builtins/BuiltinNames.h +++ b/Source/JavaScriptCore/builtins/BuiltinNames.h @@ -182,8 +182,9 @@ namespace JSC { macro(stringSplitFast) \ macro(stringSubstring) \ macro(handleNegativeProxyHasTrapResult) \ - macro(handlePositiveProxySetTrapResult) \ macro(handleProxyGetTrapResult) \ + macro(handleProxySetTrapResultSloppy) \ + macro(handleProxySetTrapResultStrict) \ macro(importModule) \ macro(copyDataProperties) \ macro(meta) \ diff --git a/Source/JavaScriptCore/builtins/ProxyHelpers.js b/Source/JavaScriptCore/builtins/ProxyHelpers.js index e090b83b1096..b861f0275828 100644 --- a/Source/JavaScriptCore/builtins/ProxyHelpers.js +++ b/Source/JavaScriptCore/builtins/ProxyHelpers.js @@ -44,9 +44,7 @@ function performProxyObjectHas(propertyName) if (trap.@call(handler, target, propertyName)) return true; - if (@mustValidateResultOfProxyTrapsExceptGetAndSet(target)) - @handleNegativeProxyHasTrapResult(target, propertyName); - + @handleNegativeProxyHasTrapResult(target, propertyName); return false; } @@ -70,8 +68,9 @@ function performProxyObjectGet(propertyName, receiver) var trapResult = trap.@call(handler, target, propertyName, receiver); - if (@mustValidateResultOfProxyGetAndSetTraps(target)) - @handleProxyGetTrapResult(trapResult, target, propertyName); + // FIXME: Add op_get_own_property bytecode and IC, which returns two values, value and attributes. + // Then we can implement it fully in JS. + @handleProxyGetTrapResult(trapResult, target, propertyName); return trapResult; } @@ -96,11 +95,9 @@ function performProxyObjectSetSloppy(propertyName, receiver, value) if (!@isCallable(trap)) @throwTypeError("'set' property of a Proxy's handler should be callable"); - if (!trap.@call(handler, target, propertyName, value, receiver)) - return; + var trapResult = trap.@call(handler, target, propertyName, value, receiver); - if (@mustValidateResultOfProxyGetAndSetTraps(target)) - @handlePositiveProxySetTrapResult(target, propertyName, value); + @handleProxySetTrapResultSloppy(trapResult, target, propertyName, value); } @linkTimeConstant @@ -123,9 +120,7 @@ function performProxyObjectSetStrict(propertyName, receiver, value) if (!@isCallable(trap)) @throwTypeError("'set' property of a Proxy's handler should be callable"); - if (!trap.@call(handler, target, propertyName, value, receiver)) - @throwTypeError("Proxy object's 'set' trap returned falsy value for property '" + @String(propertyName) + "'"); + var trapResult = trap.@call(handler, target, propertyName, value, receiver); - if (@mustValidateResultOfProxyGetAndSetTraps(target)) - @handlePositiveProxySetTrapResult(target, propertyName, value); + @handleProxySetTrapResultStrict(trapResult, target, propertyName, value); } diff --git a/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h b/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h index 01f190d86a35..f61722b33070 100644 --- a/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h +++ b/Source/JavaScriptCore/bytecode/BytecodeIntrinsicRegistry.h @@ -98,8 +98,6 @@ enum class LinkTimeConstant : int32_t; macro(toString) \ macro(toPropertyKey) \ macro(toObject) \ - macro(mustValidateResultOfProxyGetAndSetTraps) \ - macro(mustValidateResultOfProxyTrapsExceptGetAndSet) \ macro(newArrayWithSize) \ macro(newArrayWithSpecies) \ macro(newPromise) \ diff --git a/Source/JavaScriptCore/bytecode/BytecodeList.rb b/Source/JavaScriptCore/bytecode/BytecodeList.rb index 2dd34dd2d9c1..12d88f049728 100644 --- a/Source/JavaScriptCore/bytecode/BytecodeList.rb +++ b/Source/JavaScriptCore/bytecode/BytecodeList.rb @@ -1383,13 +1383,6 @@ type: JSType, } -op :has_structure_with_flags, - args: { - dst: VirtualRegister, - operand: VirtualRegister, - flags: unsigned, - } - end_section :Bytecode begin_section :CLoopHelpers, diff --git a/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp b/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp index 1d224730a085..d888e592b1ae 100644 --- a/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp +++ b/Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp @@ -227,7 +227,6 @@ void computeUsesForBytecodeIndexImpl(const JSInstruction* instruction, Checkpoin USES(OpInByVal, base, property) USES(OpHasPrivateName, base, property) USES(OpHasPrivateBrand, base, brand) - USES(OpHasStructureWithFlags, operand) USES(OpOverridesHasInstance, constructor, hasInstanceValue) USES(OpInstanceof, value, prototype) USES(OpAdd, lhs, rhs) @@ -506,7 +505,6 @@ void computeDefsForBytecodeIndexImpl(unsigned numVars, const JSInstruction* inst DEFS(OpInByVal, dst) DEFS(OpHasPrivateName, dst) DEFS(OpHasPrivateBrand, dst) - DEFS(OpHasStructureWithFlags, dst) DEFS(OpToNumber, dst) DEFS(OpToNumeric, dst) DEFS(OpToString, dst) diff --git a/Source/JavaScriptCore/bytecode/LinkTimeConstant.h b/Source/JavaScriptCore/bytecode/LinkTimeConstant.h index e453d8ef79fb..f55004d9e5a9 100644 --- a/Source/JavaScriptCore/bytecode/LinkTimeConstant.h +++ b/Source/JavaScriptCore/bytecode/LinkTimeConstant.h @@ -109,8 +109,9 @@ class JSGlobalObject; v(stringSplitFast, nullptr) \ v(stringSubstring, nullptr) \ v(handleNegativeProxyHasTrapResult, nullptr) \ - v(handlePositiveProxySetTrapResult, nullptr) \ v(handleProxyGetTrapResult, nullptr) \ + v(handleProxySetTrapResultSloppy, nullptr) \ + v(handleProxySetTrapResultStrict, nullptr) \ v(dateTimeFormat, nullptr) \ v(webAssemblyCompileStreamingInternal, nullptr) \ v(webAssemblyInstantiateStreamingInternal, nullptr) \ diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp index 436d2df13fc0..9b5d8c70bdb3 100644 --- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp +++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp @@ -2835,12 +2835,6 @@ RegisterID* BytecodeGenerator::emitHasPrivateName(RegisterID* dst, RegisterID* b return dst; } -RegisterID* BytecodeGenerator::emitHasStructureWithFlags(RegisterID* dst, RegisterID* src, unsigned flags) -{ - OpHasStructureWithFlags::emit(this, dst, src, flags); - return dst; -} - RegisterID* BytecodeGenerator::emitDirectPutByVal(RegisterID* base, RegisterID* property, RegisterID* value) { OpPutByValDirect::emit(this, base, property, value, ecmaMode()); diff --git a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h index 9e7ef19b22db..82b525a5d85e 100644 --- a/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h +++ b/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h @@ -780,7 +780,6 @@ namespace JSC { RegisterID* emitPrivateFieldPut(RegisterID* base, RegisterID* property, RegisterID* value); RegisterID* emitGetPrivateName(RegisterID* dst, RegisterID* base, RegisterID* property); RegisterID* emitHasPrivateName(RegisterID* dst, RegisterID* base, RegisterID* property); - RegisterID* emitHasStructureWithFlags(RegisterID* dst, RegisterID* src, unsigned flags); void emitCreatePrivateBrand(const JSTextPosition& divot, const JSTextPosition& divotStart, const JSTextPosition& divotEnd); void emitInstallPrivateBrand(RegisterID* target); diff --git a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp index aebe905b55ac..829159bc08df 100644 --- a/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp +++ b/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp @@ -2027,24 +2027,6 @@ CREATE_INTRINSIC_FOR_BRAND_CHECK(isUndefinedOrNull, IsUndefinedOrNull) #undef CREATE_INTRINSIC_FOR_BRAND_CHECK -RegisterID* BytecodeIntrinsicNode::emit_intrinsic_mustValidateResultOfProxyGetAndSetTraps(BytecodeGenerator& generator, RegisterID* dst) -{ - ArgumentListNode* node = m_args->m_listNode; - RefPtr src = generator.emitNode(node); - ASSERT(!node->m_next); - - return generator.move(dst, generator.emitHasStructureWithFlags(generator.tempDestination(dst), src.get(), Structure::s_hasNonConfigurableReadOnlyOrGetterSetterPropertiesBits)); -} - -RegisterID* BytecodeIntrinsicNode::emit_intrinsic_mustValidateResultOfProxyTrapsExceptGetAndSet(BytecodeGenerator& generator, RegisterID* dst) -{ - ArgumentListNode* node = m_args->m_listNode; - RefPtr src = generator.emitNode(node); - ASSERT(!node->m_next); - - return generator.move(dst, generator.emitHasStructureWithFlags(generator.tempDestination(dst), src.get(), Structure::s_hasNonConfigurablePropertiesBits | Structure::s_didPreventExtensionsBits)); -} - RegisterID* BytecodeIntrinsicNode::emit_intrinsic_newArrayWithSize(JSC::BytecodeGenerator& generator, JSC::RegisterID* dst) { ArgumentListNode* node = m_args->m_listNode; diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h index ce7d97419729..19312290f0e5 100644 --- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h +++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h @@ -4845,18 +4845,6 @@ bool AbstractInterpreter::executeEffects(unsigned clobberLimi break; } - case HasStructureWithFlags: { - const AbstractValue& child = forNode(node->child1()); - unsigned flags = node->structureFlags(); - ASSERT(flags); - - if (Structure::bitFieldFlagsCantBeChangedWithoutTransition(flags) && child.m_type && !(child.m_type & ~SpecCell) && child.m_structure.isFinite()) - m_state.setShouldTryConstantFolding(true); - - setNonCellTypeForNode(node, SpecBoolean); - break; - } - case ParseInt: { AbstractValue value = forNode(node->child1()); if (value.m_type && !(value.m_type & ~SpecInt32Only)) { diff --git a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp index 4341423bcfd7..c0ae3f636ce7 100644 --- a/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp +++ b/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp @@ -6624,13 +6624,6 @@ void ByteCodeParser::parseBlock(unsigned limit) NEXT_OPCODE(op_is_cell_with_type); } - case op_has_structure_with_flags: { - auto bytecode = currentInstruction->as(); - Node* object = get(bytecode.m_operand); - set(bytecode.m_dst, addToGraph(HasStructureWithFlags, OpInfo(bytecode.m_flags), object)); - NEXT_OPCODE(op_has_structure_with_flags); - } - case op_is_object: { auto bytecode = currentInstruction->as(); Node* value = get(bytecode.m_operand); diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h index 6e14dadd74c2..e204c63f089e 100644 --- a/Source/JavaScriptCore/dfg/DFGClobberize.h +++ b/Source/JavaScriptCore/dfg/DFGClobberize.h @@ -1252,10 +1252,6 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu def(HeapLocation(CheckTypeInfoFlagsLoc, JSCell_typeInfoFlags, node->child1()), LazyNode(node)); return; - case HasStructureWithFlags: - read(World); - return; - case ParseInt: // Note: We would have eliminated a ParseInt that has just a single child as an Int32Use inside fixup. if (node->child1().useKind() == StringUse || node->child1().useKind() == DoubleRepUse || node->child1().useKind() == Int32Use) { diff --git a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp index 43f4c649404a..ee51652c181f 100644 --- a/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp @@ -1121,35 +1121,6 @@ class ConstantFoldingPhase : public Phase { break; } - - case HasStructureWithFlags: { - const AbstractValue& child = m_state.forNode(node->child1()); - unsigned flags = node->structureFlags(); - ASSERT(flags); - - if (Structure::bitFieldFlagsCantBeChangedWithoutTransition(flags) && child.m_type && !(child.m_type & ~SpecCell) && child.m_structure.isFinite()) { - bool canFoldToTrue = true; - bool canFoldToFalse = true; - - child.m_structure.forEach([&] (RegisteredStructure structure) { - bool notDictionary = !structure->isDictionary(); - bool hasAnyOfBitFieldFlags = structure->hasAnyOfBitFieldFlags(flags); - - canFoldToTrue &= notDictionary && hasAnyOfBitFieldFlags; - canFoldToFalse &= notDictionary && !hasAnyOfBitFieldFlags; - }); - - if (canFoldToTrue) { - m_graph.convertToConstant(node, jsBoolean(true)); - changed = true; - } else if (canFoldToFalse) { - m_graph.convertToConstant(node, jsBoolean(false)); - changed = true; - } - } - - break; - } case PhantomNewObject: case PhantomNewFunction: diff --git a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp index 51bfe366ca77..7a333e05bd5d 100644 --- a/Source/JavaScriptCore/dfg/DFGDoesGC.cpp +++ b/Source/JavaScriptCore/dfg/DFGDoesGC.cpp @@ -187,7 +187,6 @@ bool doesGC(Graph& graph, Node* node) case Check: case CheckVarargs: case CheckTypeInfoFlags: - case HasStructureWithFlags: case MultiGetByOffset: case MultiDeleteByOffset: case ValueRep: diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp index d3b35daccdb2..0c2246d09b02 100644 --- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp @@ -2384,11 +2384,6 @@ class FixupPhase : public Phase { break; } - case HasStructureWithFlags: { - fixEdge(node->child1()); - break; - } - case HasIndexedProperty: { node->setArrayMode( node->arrayMode().refine( diff --git a/Source/JavaScriptCore/dfg/DFGGraph.cpp b/Source/JavaScriptCore/dfg/DFGGraph.cpp index 70cb44c0c0ae..07aed18ca1b4 100644 --- a/Source/JavaScriptCore/dfg/DFGGraph.cpp +++ b/Source/JavaScriptCore/dfg/DFGGraph.cpp @@ -289,8 +289,6 @@ void Graph::dump(PrintStream& out, const char* prefixStr, Node* node, DumpContex } if (node->hasQueriedType()) out.print(comma, node->queriedType()); - if (node->hasStructureFlags()) - out.print(comma, node->structureFlags()); if (node->hasStorageAccessData()) { StorageAccessData& storageAccessData = node->storageAccessData(); out.print(comma, "id", storageAccessData.identifierNumber, "{", identifiers()[storageAccessData.identifierNumber], "}"); diff --git a/Source/JavaScriptCore/dfg/DFGNode.h b/Source/JavaScriptCore/dfg/DFGNode.h index 01c6412e3127..f9fb9de1fb23 100644 --- a/Source/JavaScriptCore/dfg/DFGNode.h +++ b/Source/JavaScriptCore/dfg/DFGNode.h @@ -1487,17 +1487,6 @@ struct Node { { return speculationFromJSType(queriedType()); } - - bool hasStructureFlags() - { - return op() == HasStructureWithFlags; - } - - uint32_t structureFlags() - { - ASSERT(hasStructureFlags()); - return m_opInfo.as(); - } bool hasResult() { diff --git a/Source/JavaScriptCore/dfg/DFGNodeType.h b/Source/JavaScriptCore/dfg/DFGNodeType.h index 197539fe888e..7526aed692db 100644 --- a/Source/JavaScriptCore/dfg/DFGNodeType.h +++ b/Source/JavaScriptCore/dfg/DFGNodeType.h @@ -418,7 +418,6 @@ namespace JSC { namespace DFG { \ macro(IsCellWithType, NodeResultBoolean) \ macro(IsEmpty, NodeResultBoolean) \ - macro(HasStructureWithFlags, NodeResultBoolean) \ macro(TypeOfIsUndefined, NodeResultBoolean) \ macro(TypeOfIsObject, NodeResultBoolean) \ macro(TypeOfIsFunction, NodeResultBoolean) \ diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp index 19df5476a749..3b41992439d5 100644 --- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp @@ -1132,7 +1132,6 @@ class PredictionPropagationPhase : public Phase { case IsConstructor: case IsCellWithType: case IsTypedArrayView: - case HasStructureWithFlags: case MatchStructure: { setPrediction(SpecBoolean); break; diff --git a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h index 23119db50fdd..fdb809ffe9fa 100644 --- a/Source/JavaScriptCore/dfg/DFGSafeToExecute.h +++ b/Source/JavaScriptCore/dfg/DFGSafeToExecute.h @@ -272,7 +272,6 @@ bool safeToExecute(AbstractStateType& state, Graph& graph, Node* node, bool igno case IsConstructor: case IsCellWithType: case IsTypedArrayView: - case HasStructureWithFlags: case TypeOf: case ToBoolean: case LogicalNot: diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index 7ab9eaad5141..5674750ae618 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -5969,20 +5969,6 @@ void SpeculativeJIT::compileIsTypedArrayView(Node* node) blessedBooleanResult(resultGPR, node); } -void SpeculativeJIT::compileHasStructureWithFlags(Node* node) -{ - SpeculateCellOperand object(this, node->child1()); - GPRTemporary result(this, Reuse, object); - - GPRReg objectGPR = object.gpr(); - GPRReg resultGPR = result.gpr(); - - emitLoadStructure(vm(), objectGPR, resultGPR); - test32(NonZero, Address(resultGPR, Structure::bitFieldOffset()), TrustedImm32(node->structureFlags()), resultGPR); - - unblessedBooleanResult(resultGPR, node); -} - void SpeculativeJIT::compileToObjectOrCallObjectConstructor(Node* node) { RELEASE_ASSERT(node->child1().useKind() == UntypedUse); diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h index 9b6e50939f5a..9ef73f7c4baa 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h @@ -1402,7 +1402,6 @@ class SpeculativeJIT : public JITCompiler { void compileCheckTypeInfoFlags(Node*); void compileCheckIdent(Node*); - void compileHasStructureWithFlags(Node*); void compileParseInt(Node*); diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp index 18d03d994ac1..11b31fbdfd57 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp @@ -3565,11 +3565,6 @@ void SpeculativeJIT::compile(Node* node) break; } - case HasStructureWithFlags: { - compileHasStructureWithFlags(node); - break; - } - case OverridesHasInstance: { compileOverridesHasInstance(node); break; diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp index cf24bb059148..74a8dafe0727 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp @@ -4756,11 +4756,6 @@ void SpeculativeJIT::compile(Node* node) break; } - case HasStructureWithFlags: { - compileHasStructureWithFlags(node); - break; - } - case ParseInt: { compileParseInt(node); break; diff --git a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp index 91424465af2c..10d4053e6155 100644 --- a/Source/JavaScriptCore/ftl/FTLCapabilities.cpp +++ b/Source/JavaScriptCore/ftl/FTLCapabilities.cpp @@ -289,7 +289,6 @@ inline CapabilityLevel canCompile(Node* node) case IsConstructor: case IsTypedArrayView: case CheckTypeInfoFlags: - case HasStructureWithFlags: case OverridesHasInstance: case InstanceOf: case InstanceOfCustom: diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp index d09a6431645c..98d3bb0a6953 100644 --- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp +++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp @@ -1554,9 +1554,6 @@ class LowerDFGToB3 { case CheckTypeInfoFlags: compileCheckTypeInfoFlags(); break; - case HasStructureWithFlags: - compileHasStructureWithFlags(); - break; case OverridesHasInstance: compileOverridesHasInstance(); break; @@ -13974,14 +13971,6 @@ IGNORE_CLANG_WARNINGS_END m_out.load8ZeroExt32(lowCell(m_node->child1()), m_heaps.JSCell_typeInfoFlags), m_out.constInt32(m_node->typeInfoOperand()))); } - - void compileHasStructureWithFlags() - { - LValue object = lowCell(m_node->child1()); - LValue structure = loadStructure(object); - LValue structureFlags = m_out.load32(structure, m_heaps.Structure_bitField); - setBoolean(m_out.testNonZero32(structureFlags, m_out.constInt32(m_node->structureFlags()))); - } void compileInstanceOf() { diff --git a/Source/JavaScriptCore/jit/JIT.cpp b/Source/JavaScriptCore/jit/JIT.cpp index 51f6e88eaa25..bda890a9c1bd 100644 --- a/Source/JavaScriptCore/jit/JIT.cpp +++ b/Source/JavaScriptCore/jit/JIT.cpp @@ -358,7 +358,6 @@ void JIT::privateCompileMainPass() DEFINE_OP(op_is_big_int) DEFINE_OP(op_is_object) DEFINE_OP(op_is_cell_with_type) - DEFINE_OP(op_has_structure_with_flags) DEFINE_OP(op_jeq_null) DEFINE_OP(op_jfalse) DEFINE_OP(op_jmp) diff --git a/Source/JavaScriptCore/jit/JIT.h b/Source/JavaScriptCore/jit/JIT.h index 6f7b85b487be..3c4652d46db9 100644 --- a/Source/JavaScriptCore/jit/JIT.h +++ b/Source/JavaScriptCore/jit/JIT.h @@ -440,7 +440,6 @@ namespace JSC { #endif void emit_op_is_object(const JSInstruction*); void emit_op_is_cell_with_type(const JSInstruction*); - void emit_op_has_structure_with_flags(const JSInstruction*); void emit_op_jeq_null(const JSInstruction*); void emit_op_jfalse(const JSInstruction*); void emit_op_jmp(const JSInstruction*); diff --git a/Source/JavaScriptCore/jit/JITOpcodes.cpp b/Source/JavaScriptCore/jit/JITOpcodes.cpp index e4d06985762b..f9bcc144e1ef 100644 --- a/Source/JavaScriptCore/jit/JITOpcodes.cpp +++ b/Source/JavaScriptCore/jit/JITOpcodes.cpp @@ -374,21 +374,6 @@ void JIT::emit_op_is_object(const JSInstruction* currentInstruction) emitPutVirtualRegister(dst, jsRegT10); } -void JIT::emit_op_has_structure_with_flags(const JSInstruction* currentInstruction) -{ - auto bytecode = currentInstruction->as(); - VirtualRegister dst = bytecode.m_dst; - VirtualRegister object = bytecode.m_operand; - unsigned flags = bytecode.m_flags; - - emitGetVirtualRegister(object, jsRegT10); - emitLoadStructure(vm(), jsRegT10.payloadGPR(), regT2); - - test32(NonZero, Address(regT2, Structure::bitFieldOffset()), TrustedImm32(flags), regT0); - boxBoolean(regT0, jsRegT10); - emitPutVirtualRegister(dst, jsRegT10); -} - void JIT::emit_op_to_primitive(const JSInstruction* currentInstruction) { auto bytecode = currentInstruction->as(); diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp index 3c97766ffd65..3e8dd58fe249 100644 --- a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp +++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp @@ -1505,18 +1505,6 @@ LLINT_SLOW_PATH_DECL(slow_path_has_private_brand) LLINT_RETURN(jsBoolean(asObject(baseValue)->hasPrivateBrand(globalObject, getOperand(callFrame, bytecode.m_brand)))); } -LLINT_SLOW_PATH_DECL(slow_path_has_structure_with_flags) -{ - LLINT_BEGIN(); - - auto bytecode = pc->as(); - ASSERT(getOperand(callFrame, bytecode.m_operand).isObject()); - JSObject* object = asObject(getOperand(callFrame, bytecode.m_operand)); - unsigned flags = bytecode.m_flags; - - LLINT_RETURN(jsBoolean(object->structure()->hasAnyOfBitFieldFlags(flags))); -} - LLINT_SLOW_PATH_DECL(slow_path_put_getter_by_id) { LLINT_BEGIN(); diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.h b/Source/JavaScriptCore/llint/LLIntSlowPaths.h index f1a606ceabf6..3550cec34ac4 100644 --- a/Source/JavaScriptCore/llint/LLIntSlowPaths.h +++ b/Source/JavaScriptCore/llint/LLIntSlowPaths.h @@ -76,7 +76,6 @@ LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_in_by_id); LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_in_by_val); LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_has_private_name); LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_has_private_brand); -LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_has_structure_with_flags); LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_del_by_id); LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_by_val); LLINT_SLOW_PATH_HIDDEN_DECL(slow_path_get_private_name); diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm index 80bc9e251b9a..1ff972f19e96 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm @@ -3311,5 +3311,3 @@ slowPathOp(enumerator_in_by_val) slowPathOp(enumerator_put_by_val) slowPathOp(enumerator_has_own_property) slowPathOp(mod) - -llintSlowPathOp(has_structure_with_flags) diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm index 0b804270a720..1d7cb7810cae 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm @@ -1611,17 +1611,6 @@ llintOpWithReturn(op_is_cell_with_type, OpIsCellWithType, macro (size, get, disp end) -llintOpWithReturn(op_has_structure_with_flags, OpHasStructureWithFlags, macro (size, get, dispatch, return) - getu(size, OpHasStructureWithFlags, m_flags, t0) - get(m_operand, t1) - loadConstantOrVariable(size, t1, t2) - loadStructureWithScratch(t2, t3, t1) - tinz Structure::m_bitField[t3], t0, t1 - orq ValueFalse, t1 - return(t1) -end) - - llintOpWithReturn(op_is_object, OpIsObject, macro (size, get, dispatch, return) get(m_operand, t1) loadConstantOrVariable(size, t1, t0) diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp index 49509b26ab13..add79d9113fc 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp +++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp @@ -1601,8 +1601,12 @@ capitalName ## Constructor* lowerName ## Constructor = featureFlag ? capitalName init.set(JSFunction::create(init.vm, jsCast(init.owner), 3, "handleProxyGetTrapResult"_s, globalFuncHandleProxyGetTrapResult, ImplementationVisibility::Private)); }); - m_linkTimeConstants[static_cast(LinkTimeConstant::handlePositiveProxySetTrapResult)].initLater([] (const Initializer& init) { - init.set(JSFunction::create(init.vm, jsCast(init.owner), 3, "handlePositiveProxySetTrapResult"_s, globalFuncHandlePositiveProxySetTrapResult, ImplementationVisibility::Private)); + m_linkTimeConstants[static_cast(LinkTimeConstant::handleProxySetTrapResultSloppy)].initLater([] (const Initializer& init) { + init.set(JSFunction::create(init.vm, jsCast(init.owner), 4, "handleProxySetTrapResultSloppy"_s, globalFuncHandleProxySetTrapResultSloppy, ImplementationVisibility::Private)); + }); + + m_linkTimeConstants[static_cast(LinkTimeConstant::handleProxySetTrapResultStrict)].initLater([] (const Initializer& init) { + init.set(JSFunction::create(init.vm, jsCast(init.owner), 4, "handleProxySetTrapResultStrict"_s, globalFuncHandleProxySetTrapResultStrict, ImplementationVisibility::Private)); }); m_linkTimeConstants[static_cast(LinkTimeConstant::dateTimeFormat)].initLater([] (const Initializer& init) { diff --git a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp index e59d3f1a0d98..2b73db7d034e 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp +++ b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp @@ -1035,22 +1035,33 @@ JSC_DEFINE_HOST_FUNCTION(globalFuncHandleProxyGetTrapResult, (JSGlobalObject* gl return JSValue::encode(jsUndefined()); } -JSC_DEFINE_HOST_FUNCTION(globalFuncHandlePositiveProxySetTrapResult, (JSGlobalObject* globalObject, CallFrame* callFrame)) +static ALWAYS_INLINE EncodedJSValue globalFuncHandleProxySetTrapResult(JSGlobalObject* globalObject, CallFrame* callFrame, ECMAMode ecmaMode) { VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); - JSObject* target = asObject(callFrame->uncheckedArgument(0)); + JSValue trapResult = callFrame->uncheckedArgument(0); + JSObject* target = asObject(callFrame->uncheckedArgument(1)); - Identifier propertyName = callFrame->uncheckedArgument(1).toPropertyKey(globalObject); + Identifier propertyName = callFrame->uncheckedArgument(2).toPropertyKey(globalObject); RETURN_IF_EXCEPTION(scope, { }); - JSValue putValue = callFrame->uncheckedArgument(2); + JSValue putValue = callFrame->uncheckedArgument(3); scope.release(); - ProxyObject::validatePositiveSetTrapResult(globalObject, target, propertyName, putValue); + ProxyObject::validateSetTrapResult(globalObject, trapResult, target, propertyName, putValue, ecmaMode.isStrict()); return JSValue::encode(jsUndefined()); } +JSC_DEFINE_HOST_FUNCTION(globalFuncHandleProxySetTrapResultSloppy, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return globalFuncHandleProxySetTrapResult(globalObject, callFrame, ECMAMode::sloppy()); +} + +JSC_DEFINE_HOST_FUNCTION(globalFuncHandleProxySetTrapResultStrict, (JSGlobalObject* globalObject, CallFrame* callFrame)) +{ + return globalFuncHandleProxySetTrapResult(globalObject, callFrame, ECMAMode::strict()); +} + } // namespace JSC diff --git a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h index 60ee1c72341c..a2f2d32cad96 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h +++ b/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.h @@ -62,8 +62,9 @@ JSC_DECLARE_HOST_FUNCTION(globalFuncImportModule); JSC_DECLARE_HOST_FUNCTION(globalFuncCopyDataProperties); JSC_DECLARE_HOST_FUNCTION(globalFuncDateTimeFormat); JSC_DECLARE_HOST_FUNCTION(globalFuncHandleNegativeProxyHasTrapResult); -JSC_DECLARE_HOST_FUNCTION(globalFuncHandlePositiveProxySetTrapResult); JSC_DECLARE_HOST_FUNCTION(globalFuncHandleProxyGetTrapResult); +JSC_DECLARE_HOST_FUNCTION(globalFuncHandleProxySetTrapResultSloppy); +JSC_DECLARE_HOST_FUNCTION(globalFuncHandleProxySetTrapResultStrict); JS_EXPORT_PRIVATE double jsToNumber(StringView); diff --git a/Source/JavaScriptCore/runtime/JSGlobalProxy.h b/Source/JavaScriptCore/runtime/JSGlobalProxy.h index 5d8e4f53bce9..08d4a621fc71 100644 --- a/Source/JavaScriptCore/runtime/JSGlobalProxy.h +++ b/Source/JavaScriptCore/runtime/JSGlobalProxy.h @@ -32,7 +32,7 @@ namespace JSC { class JSGlobalProxy : public JSNonFinalObject { public: using Base = JSNonFinalObject; - static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | OverridesGetPrototype | OverridesIsExtensible | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero; + static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesPut | OverridesGetPrototype | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero; template static GCClient::IsoSubspace* subspaceFor(VM& vm) diff --git a/Source/JavaScriptCore/runtime/JSTypeInfo.h b/Source/JavaScriptCore/runtime/JSTypeInfo.h index 54ebe0ccd168..a77d7c513224 100644 --- a/Source/JavaScriptCore/runtime/JSTypeInfo.h +++ b/Source/JavaScriptCore/runtime/JSTypeInfo.h @@ -60,7 +60,6 @@ static constexpr unsigned StructureIsImmortal = 1 << 17; static constexpr unsigned OverridesPut = 1 << 18; static constexpr unsigned OverridesGetPrototype = 1 << 19; static constexpr unsigned GetOwnPropertySlotMayBeWrongAboutDontEnum = 1 << 20; -static constexpr unsigned OverridesIsExtensible = 1 << 21; static constexpr unsigned numberOfInlineBits = 8; static constexpr unsigned OverridesGetPrototypeOutOfLine = OverridesGetPrototype >> numberOfInlineBits; @@ -106,7 +105,6 @@ class TypeInfo { bool overridesAnyFormOfGetOwnPropertyNames() const { return overridesGetOwnPropertyNames() || overridesGetOwnSpecialPropertyNames(); } bool overridesPut() const { return isSetOnFlags2(); } bool overridesGetPrototype() const { return isSetOnFlags2(); } - bool overridesIsExtensible() const { return isSetOnFlags2(); } bool prohibitsPropertyCaching() const { return isSetOnFlags2(); } bool getOwnPropertySlotIsImpure() const { return isSetOnFlags2(); } bool getOwnPropertySlotIsImpureForPropertyAbsence() const { return isSetOnFlags2(); } diff --git a/Source/JavaScriptCore/runtime/PropertySlot.h b/Source/JavaScriptCore/runtime/PropertySlot.h index d09dc5930183..32c19810fbf3 100644 --- a/Source/JavaScriptCore/runtime/PropertySlot.h +++ b/Source/JavaScriptCore/runtime/PropertySlot.h @@ -50,7 +50,6 @@ enum class PropertyAttribute : unsigned { CustomAccessorOrValue = CustomAccessor | CustomValue, AccessorOrCustomAccessorOrValue = Accessor | CustomAccessor | CustomValue, ReadOnlyOrAccessorOrCustomAccessor = ReadOnly | Accessor | CustomAccessor, - ReadOnlyOrAccessorOrCustomAccessorOrValue = ReadOnly | Accessor | CustomAccessor | CustomValue, // Things that are used by static hashtables are not in the attributes byte in PropertyTableEntry. Function = 1 << 8, // property is a function - only used by static hashtables diff --git a/Source/JavaScriptCore/runtime/ProxyObject.cpp b/Source/JavaScriptCore/runtime/ProxyObject.cpp index 92c07d72f836..e7eab3263309 100644 --- a/Source/JavaScriptCore/runtime/ProxyObject.cpp +++ b/Source/JavaScriptCore/runtime/ProxyObject.cpp @@ -452,6 +452,13 @@ bool ProxyObject::performPut(JSGlobalObject* globalObject, JSValue putValue, JSV ASSERT(!arguments.hasOverflowed()); JSValue trapResult = call(globalObject, setMethod, callData, handler, arguments); RETURN_IF_EXCEPTION(scope, false); + RELEASE_AND_RETURN(scope, validateSetTrapResult(globalObject, trapResult, target, propertyName, putValue, shouldThrow)); +} + +bool ProxyObject::validateSetTrapResult(JSGlobalObject* globalObject, JSValue trapResult, JSObject* target, PropertyName propertyName, JSValue putValue, bool shouldThrow) +{ + VM& vm = globalObject->vm(); + auto scope = DECLARE_THROW_SCOPE(vm); bool trapResultAsBool = trapResult.toBoolean(globalObject); RETURN_IF_EXCEPTION(scope, false); @@ -461,32 +468,24 @@ bool ProxyObject::performPut(JSGlobalObject* globalObject, JSValue putValue, JSV return false; } - validatePositiveSetTrapResult(globalObject, target, propertyName, putValue); - RETURN_IF_EXCEPTION(scope, false); - return true; -} - -void ProxyObject::validatePositiveSetTrapResult(JSGlobalObject* globalObject, JSObject* target, PropertyName propertyName, JSValue putValue) -{ - VM& vm = globalObject->vm(); - auto scope = DECLARE_THROW_SCOPE(vm); - PropertyDescriptor descriptor; bool hasProperty = target->getOwnPropertyDescriptor(globalObject, propertyName, descriptor); EXCEPTION_ASSERT(!scope.exception() || !hasProperty); if (hasProperty && !descriptor.configurable()) { if (descriptor.isDataDescriptor() && !descriptor.writable()) { bool isSame = sameValue(globalObject, descriptor.value(), putValue); - RETURN_IF_EXCEPTION(scope, void()); + RETURN_IF_EXCEPTION(scope, false); if (!isSame) { throwTypeError(globalObject, scope, "Proxy handler's 'set' on a non-configurable and non-writable property on 'target' should either return false or be the same value already on the 'target'"_s); - return; + return false; } } else if (descriptor.isAccessorDescriptor() && descriptor.setter().isUndefined()) { throwTypeError(globalObject, scope, "Proxy handler's 'set' method on a non-configurable accessor property without a setter should return false"_s); - return; + return false; } } + + return true; } bool ProxyObject::put(JSCell* cell, JSGlobalObject* globalObject, PropertyName propertyName, JSValue value, PutPropertySlot& slot) diff --git a/Source/JavaScriptCore/runtime/ProxyObject.h b/Source/JavaScriptCore/runtime/ProxyObject.h index bdfa72b8c8af..66111c4b15e4 100644 --- a/Source/JavaScriptCore/runtime/ProxyObject.h +++ b/Source/JavaScriptCore/runtime/ProxyObject.h @@ -33,7 +33,7 @@ class ProxyObject final : public JSInternalFieldObjectImpl<2> { public: using Base = JSInternalFieldObjectImpl<2>; - static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | OverridesGetCallData | OverridesPut | OverridesIsExtensible | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ProhibitsPropertyCaching; + static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | OverridesGetCallData | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | ProhibitsPropertyCaching; enum class Field : uint32_t { Target = 0, @@ -80,8 +80,8 @@ class ProxyObject final : public JSInternalFieldObjectImpl<2> { JSValue handler() const { return internalField(Field::Handler).get(); } static void validateNegativeHasTrapResult(JSGlobalObject*, JSObject*, PropertyName); - static void validatePositiveSetTrapResult(JSGlobalObject*, JSObject*, PropertyName, JSValue putValue); static void validateGetTrapResult(JSGlobalObject*, JSValue trapResult, JSObject*, PropertyName); + static bool validateSetTrapResult(JSGlobalObject*, JSValue trapResult, JSObject*, PropertyName, JSValue putValue, bool shouldThrow); static bool put(JSCell*, JSGlobalObject*, PropertyName, JSValue, PutPropertySlot&); static bool putByIndex(JSCell*, JSGlobalObject*, unsigned propertyName, JSValue, bool shouldThrow); diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp index aab6759fb4ff..b3983a290044 100644 --- a/Source/JavaScriptCore/runtime/Structure.cpp +++ b/Source/JavaScriptCore/runtime/Structure.cpp @@ -172,11 +172,6 @@ void Structure::validateFlags() methodTable.put != JSObject::put && methodTable.put != JSCell::put; RELEASE_ASSERT(overridesPut == typeInfo().overridesPut()); - - bool overridesIsExtensible = - methodTable.isExtensible != static_cast(JSObject::isExtensible) - && methodTable.isExtensible != JSCell::isExtensible; - RELEASE_ASSERT(overridesIsExtensible == typeInfo().overridesIsExtensible()); } #else inline void Structure::validateFlags() { } @@ -194,20 +189,16 @@ Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, co , m_classInfo(classInfo) , m_transitionWatchpointSet(IsWatched) { - bool hasStaticNonConfigurableProperty = m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::DontDelete)); - setDictionaryKind(NoneDictionaryKind); setIsPinnedPropertyTable(false); setHasAnyKindOfGetterSetterProperties(classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::AccessorOrCustomAccessorOrValue))); setHasReadOnlyOrGetterSetterPropertiesExcludingProto(hasAnyKindOfGetterSetterProperties() || classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::ReadOnly))); - setHasNonConfigurableProperties(hasStaticNonConfigurableProperty || typeInfo.overridesGetOwnPropertySlot()); - setHasNonConfigurableReadOnlyOrGetterSetterProperties(hasStaticNonConfigurableProperty || (typeInfo.overridesGetOwnPropertySlot() && typeInfo.type() != ArrayType)); setHasUnderscoreProtoPropertyExcludingOriginalProto(false); setIsQuickPropertyAccessAllowedForEnumeration(true); setTransitionPropertyAttributes(0); setTransitionKind(TransitionKind::Unknown); setMayBePrototype(false); - setDidPreventExtensions(typeInfo.overridesIsExtensible()); + setDidPreventExtensions(false); setDidTransition(false); setStaticPropertiesReified(false); setTransitionWatchpointIsLikelyToBeFired(false); @@ -220,7 +211,7 @@ Structure::Structure(VM& vm, JSGlobalObject* globalObject, JSValue prototype, co ASSERT(static_cast(inlineCapacity) < firstOutOfLineOffset); ASSERT(!hasRareData()); ASSERT(hasAnyKindOfGetterSetterProperties() == m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::AccessorOrCustomAccessorOrValue))); - ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() == m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessorOrValue))); + ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() == m_classInfo->hasStaticPropertyWithAnyOfAttributes(PropertyAttribute::ReadOnly | PropertyAttribute::AccessorOrCustomAccessorOrValue)); validateFlags(); @@ -240,21 +231,16 @@ Structure::Structure(VM& vm, CreatingEarlyCellTag) , m_classInfo(info()) , m_transitionWatchpointSet(IsWatched) { - TypeInfo typeInfo { StructureType, StructureFlags }; - bool hasStaticNonConfigurableProperty = m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::DontDelete)); - setDictionaryKind(NoneDictionaryKind); setIsPinnedPropertyTable(false); setHasAnyKindOfGetterSetterProperties(m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::AccessorOrCustomAccessorOrValue))); setHasReadOnlyOrGetterSetterPropertiesExcludingProto(hasAnyKindOfGetterSetterProperties() || m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::ReadOnly))); - setHasNonConfigurableProperties(hasStaticNonConfigurableProperty || typeInfo.overridesGetOwnPropertySlot()); - setHasNonConfigurableReadOnlyOrGetterSetterProperties(hasStaticNonConfigurableProperty || (typeInfo.overridesGetOwnPropertySlot() && typeInfo.type() != ArrayType)); setHasUnderscoreProtoPropertyExcludingOriginalProto(false); setIsQuickPropertyAccessAllowedForEnumeration(true); setTransitionPropertyAttributes(0); setTransitionKind(TransitionKind::Unknown); setMayBePrototype(false); - setDidPreventExtensions(typeInfo.overridesIsExtensible()); + setDidPreventExtensions(false); setDidTransition(false); setStaticPropertiesReified(false); setTransitionWatchpointIsLikelyToBeFired(false); @@ -263,11 +249,12 @@ Structure::Structure(VM& vm, CreatingEarlyCellTag) setTransitionOffset(vm, invalidOffset); setMaxOffset(vm, invalidOffset); + TypeInfo typeInfo = TypeInfo(StructureType, StructureFlags); m_blob = TypeInfoBlob(0, typeInfo); m_outOfLineTypeFlags = typeInfo.outOfLineTypeFlags(); ASSERT(hasAnyKindOfGetterSetterProperties() == m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::AccessorOrCustomAccessorOrValue))); - ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() == m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessorOrValue))); + ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() == m_classInfo->hasStaticPropertyWithAnyOfAttributes(PropertyAttribute::ReadOnly | PropertyAttribute::AccessorOrCustomAccessorOrValue)); ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); #if ENABLE(STRUCTURE_ID_WITH_SHIFT) @@ -290,8 +277,6 @@ Structure::Structure(VM& vm, Structure* previous) setHasBeenFlattenedBefore(previous->hasBeenFlattenedBefore()); setHasAnyKindOfGetterSetterProperties(previous->hasAnyKindOfGetterSetterProperties()); setHasReadOnlyOrGetterSetterPropertiesExcludingProto(previous->hasReadOnlyOrGetterSetterPropertiesExcludingProto()); - setHasNonConfigurableProperties(previous->hasNonConfigurableProperties()); - setHasNonConfigurableReadOnlyOrGetterSetterProperties(previous->hasNonConfigurableReadOnlyOrGetterSetterProperties()); setHasUnderscoreProtoPropertyExcludingOriginalProto(previous->hasUnderscoreProtoPropertyExcludingOriginalProto()); setIsQuickPropertyAccessAllowedForEnumeration(previous->isQuickPropertyAccessAllowedForEnumeration()); setTransitionPropertyAttributes(0); @@ -322,7 +307,7 @@ Structure::Structure(VM& vm, Structure* previous) if (previous->m_globalObject) m_globalObject.set(vm, this, previous->m_globalObject.get()); ASSERT(hasAnyKindOfGetterSetterProperties() || !m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::AccessorOrCustomAccessorOrValue))); - ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticPropertyWithAnyOfAttributes(static_cast(PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessorOrValue))); + ASSERT(hasReadOnlyOrGetterSetterPropertiesExcludingProto() || !m_classInfo->hasStaticPropertyWithAnyOfAttributes(PropertyAttribute::ReadOnly | PropertyAttribute::AccessorOrCustomAccessorOrValue)); ASSERT(!this->typeInfo().overridesGetCallData() || m_classInfo->methodTable.getCallData != &JSCell::getCallData); #if ENABLE(STRUCTURE_ID_WITH_SHIFT) @@ -829,11 +814,6 @@ Structure* Structure::nonPropertyTransitionSlow(VM& vm, Structure* structure, Tr Structure* transition = Structure::create(vm, structure, deferred); transition->setTransitionKind(transitionKind); transition->m_blob.setIndexingModeIncludingHistory(indexingModeIncludingHistory); - - if (changesIndexingType(transitionKind) && hasAnyArrayStorage(indexingModeIncludingHistory)) { - transition->setHasNonConfigurableProperties(true); - transition->setHasNonConfigurableReadOnlyOrGetterSetterProperties(true); - } if (preventsExtensions(transitionKind)) transition->setDidPreventExtensions(true); @@ -859,9 +839,6 @@ Structure* Structure::nonPropertyTransitionSlow(VM& vm, Structure* structure, Tr table->seal(); else table->freeze(); - - transition->setHasNonConfigurableProperties(true); - transition->setHasNonConfigurableReadOnlyOrGetterSetterProperties(true); } else { transition->setPropertyTable(vm, structure->takePropertyTableOrCloneIfPinned(vm)); transition->setMaxOffset(vm, structure->maxOffset()); diff --git a/Source/JavaScriptCore/runtime/Structure.h b/Source/JavaScriptCore/runtime/Structure.h index eb4d09185568..06d702906669 100644 --- a/Source/JavaScriptCore/runtime/Structure.h +++ b/Source/JavaScriptCore/runtime/Structure.h @@ -341,16 +341,6 @@ class Structure : public JSCell { return typeInfo().hasStaticPropertyTable() && !staticPropertiesReified(); } - bool isNonExtensibleOrHasNonConfigurableProperties() const - { - return didPreventExtensions() || hasNonConfigurableProperties(); - } - - bool hasAnyOfBitFieldFlags(unsigned flags) const - { - return m_bitField & flags; - } - // Type accessors. TypeInfo typeInfo() const { return m_blob.typeInfo(m_outOfLineTypeFlags); } bool isObject() const { return typeInfo().isObject(); } @@ -850,31 +840,16 @@ class Structure : public JSCell { DEFINE_BITFIELD(bool, didTransition, DidTransition, 1, 21); DEFINE_BITFIELD(bool, staticPropertiesReified, StaticPropertiesReified, 1, 22); DEFINE_BITFIELD(bool, hasBeenFlattenedBefore, HasBeenFlattenedBefore, 1, 23); - DEFINE_BITFIELD(bool, isBrandedStructure, IsBrandedStructure, 1, 24); DEFINE_BITFIELD(bool, didWatchInternalProperties, DidWatchInternalProperties, 1, 25); DEFINE_BITFIELD(bool, transitionWatchpointIsLikelyToBeFired, TransitionWatchpointIsLikelyToBeFired, 1, 26); DEFINE_BITFIELD(bool, hasBeenDictionary, HasBeenDictionary, 1, 27); DEFINE_BITFIELD(bool, protectPropertyTableWhileTransitioning, ProtectPropertyTableWhileTransitioning, 1, 28); DEFINE_BITFIELD(bool, hasUnderscoreProtoPropertyExcludingOriginalProto, HasUnderscoreProtoPropertyExcludingOriginalProto, 1, 29); - DEFINE_BITFIELD(bool, hasNonConfigurableProperties, HasNonConfigurableProperties, 1, 30); - DEFINE_BITFIELD(bool, hasNonConfigurableReadOnlyOrGetterSetterProperties, HasNonConfigurableReadOnlyOrGetterSetterProperties, 1, 31); + DEFINE_BITFIELD(bool, isBrandedStructure, IsBrandedStructure, 1, 30); static_assert(s_bitWidthOfTransitionPropertyAttributes <= sizeof(TransitionPropertyAttributes) * 8); static_assert(s_bitWidthOfTransitionKind <= sizeof(TransitionKind) * 8); - static bool bitFieldFlagsCantBeChangedWithoutTransition(unsigned flags) - { - return flags == (flags & ( - s_didPreventExtensionsBits - | s_isQuickPropertyAccessAllowedForEnumerationBits - | s_hasAnyKindOfGetterSetterPropertiesBits - | s_hasReadOnlyOrGetterSetterPropertiesExcludingProtoBits - | s_hasUnderscoreProtoPropertyExcludingOriginalProtoBits - | s_hasNonConfigurablePropertiesBits - | s_hasNonConfigurableReadOnlyOrGetterSetterPropertiesBits - )); - } - int transitionCountEstimate() const { // Since the number of transitions is often the same as the last offset (except if there are deletes) diff --git a/Source/JavaScriptCore/runtime/StructureInlines.h b/Source/JavaScriptCore/runtime/StructureInlines.h index f9d07b15f40f..de734aadff8c 100644 --- a/Source/JavaScriptCore/runtime/StructureInlines.h +++ b/Source/JavaScriptCore/runtime/StructureInlines.h @@ -488,11 +488,6 @@ inline PropertyOffset Structure::add(VM& vm, PropertyName propertyName, unsigned checkConsistency(); if (attributes & PropertyAttribute::DontEnum || propertyName.isSymbol()) setIsQuickPropertyAccessAllowedForEnumeration(false); - if (attributes & PropertyAttribute::DontDelete) { - setHasNonConfigurableProperties(true); - if (attributes & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessorOrValue) - setHasNonConfigurableReadOnlyOrGetterSetterProperties(true); - } if (propertyName == vm.propertyNames->underscoreProto) setHasUnderscoreProtoPropertyExcludingOriginalProto(true); @@ -583,11 +578,6 @@ inline PropertyOffset Structure::attributeChange(VM& vm, PropertyName propertyNa if (attributes & PropertyAttribute::DontEnum) setIsQuickPropertyAccessAllowedForEnumeration(false); - if (attributes & PropertyAttribute::DontDelete) { - setHasNonConfigurableProperties(true); - if (attributes & PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessorOrValue) - setHasNonConfigurableReadOnlyOrGetterSetterProperties(true); - } if (attributes & PropertyAttribute::ReadOnly) setContainsReadOnlyProperties(); diff --git a/Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h b/Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h index a31b3dba7fe4..dadc0285cce2 100644 --- a/Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h +++ b/Source/JavaScriptCore/wasm/js/WebAssemblyGCObjectBase.h @@ -36,7 +36,7 @@ namespace JSC { class WebAssemblyGCObjectBase : public JSNonFinalObject { public: using Base = JSNonFinalObject; - static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | OverridesPut | OverridesIsExtensible | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero; + static constexpr unsigned StructureFlags = Base::StructureFlags | OverridesGetOwnPropertySlot | OverridesGetOwnPropertyNames | OverridesGetPrototype | OverridesPut | InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero; DECLARE_EXPORT_INFO; diff --git a/Source/WebCore/bindings/js/JSDOMWindowProperties.h b/Source/WebCore/bindings/js/JSDOMWindowProperties.h index a0c1e0ba4481..32408832d8b0 100644 --- a/Source/WebCore/bindings/js/JSDOMWindowProperties.h +++ b/Source/WebCore/bindings/js/JSDOMWindowProperties.h @@ -33,7 +33,7 @@ namespace WebCore { class JSDOMWindowProperties final : public JSDOMObject { public: using Base = JSDOMObject; - static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::OverridesIsExtensible | JSC::IsImmutablePrototypeExoticObject; + static constexpr unsigned StructureFlags = Base::StructureFlags | JSC::GetOwnPropertySlotIsImpureForPropertyAbsence | JSC::InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero | JSC::OverridesGetOwnPropertySlot | JSC::IsImmutablePrototypeExoticObject; static constexpr bool needsDestruction = false; template