Delete IC incorrectly caches for proxies
https://bugs.webkit.org/show_bug.cgi?id=209777
Patch by Justin Michaud <justin@justinmichaud.com> on 2020-04-01
Reviewed by Mark Lam.
JSTests:
* stress/delete-property-ic-proxy.js: Added.
(obj1.this.foo1):
(foo1.foo2):
(foo1):
(foo2.foo3):
(foo2):
* stress/delete-property-inline-cache.js:
Source/JavaScriptCore:
Proxy's do not change their structure ID when properties are added, so we cannot cache deletes
for them.
* jit/Repatch.cpp:
(JSC::tryCacheDeleteBy):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@259357 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index e2249c8..9f94eb2c 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,18 @@
+2020-04-01 Justin Michaud <justin@justinmichaud.com>
+
+ Delete IC incorrectly caches for proxies
+ https://bugs.webkit.org/show_bug.cgi?id=209777
+
+ Reviewed by Mark Lam.
+
+ * stress/delete-property-ic-proxy.js: Added.
+ (obj1.this.foo1):
+ (foo1.foo2):
+ (foo1):
+ (foo2.foo3):
+ (foo2):
+ * stress/delete-property-inline-cache.js:
+
2020-04-01 Paulo Matos <pmatos@igalia.com>
[JSC] Reenable non-cloop LLint, JIT and DFG on 32-bit platforms
diff --git a/JSTests/stress/delete-property-ic-proxy.js b/JSTests/stress/delete-property-ic-proxy.js
new file mode 100644
index 0000000..63563f1
--- /dev/null
+++ b/JSTests/stress/delete-property-ic-proxy.js
@@ -0,0 +1,40 @@
+//@ requireOptions("--jitPolicyScale=0", "--useDFGJIT=0")
+
+{
+ var obj1 = this
+ function foo1() {
+ for (let i = 0; i < 5; ++i)
+ delete obj1.x
+ }
+ noInline(foo1)
+
+ foo1()
+ Object.defineProperty(obj1, "x", {})
+ foo1()
+}
+
+{
+ var obj2 = new Proxy({}, {})
+ function foo2() {
+ for (let i = 0; i < 5; ++i)
+ delete obj2.x
+ }
+ noInline(foo2)
+
+ foo2()
+ Object.defineProperty(obj2, "x", {})
+ foo2()
+}
+
+{
+ var obj3 = $vm.createProxy({})
+ function foo3() {
+ for (let i = 0; i < 5; ++i)
+ delete obj3.x
+ }
+ noInline(foo3)
+
+ foo3()
+ Object.defineProperty(obj3, "x", {})
+ foo3()
+}
\ No newline at end of file
diff --git a/JSTests/stress/delete-property-inline-cache.js b/JSTests/stress/delete-property-inline-cache.js
index 3df00d5..297edd7 100644
--- a/JSTests/stress/delete-property-inline-cache.js
+++ b/JSTests/stress/delete-property-inline-cache.js
@@ -1,4 +1,4 @@
-//@ runDefault("--useBigInt=true")
+//@ requireOptions("--useBigInt=1")
function assert(condition) {
if (!condition)
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 63015bb..f219eb6 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2020-04-01 Justin Michaud <justin@justinmichaud.com>
+
+ Delete IC incorrectly caches for proxies
+ https://bugs.webkit.org/show_bug.cgi?id=209777
+
+ Reviewed by Mark Lam.
+
+ Proxy's do not change their structure ID when properties are added, so we cannot cache deletes
+ for them.
+
+ * jit/Repatch.cpp:
+ (JSC::tryCacheDeleteBy):
+
2020-04-01 Keith Miller <keith_miller@apple.com>
Bindings that override getOwnPropertySlotByIndex need to say they MayHaveIndexedAccessors
diff --git a/Source/JavaScriptCore/jit/Repatch.cpp b/Source/JavaScriptCore/jit/Repatch.cpp
index c3df079..6417f21 100644
--- a/Source/JavaScriptCore/jit/Repatch.cpp
+++ b/Source/JavaScriptCore/jit/Repatch.cpp
@@ -750,7 +750,7 @@
return GiveUpOnCache;
ASSERT(oldStructure);
- if (!baseValue.isObject() || !oldStructure->propertyAccessesAreCacheable())
+ if (!baseValue.isObject() || !oldStructure->propertyAccessesAreCacheable() || oldStructure->isProxy())
return GiveUpOnCache;
if (!slot.isCacheableDelete())
