Unreviewed, roll out r250878
https://bugs.webkit.org/show_bug.cgi?id=202656
Breaking vimeo page.
JSTests:
* stress/getter-setter-should-be-cell.js: Removed.
Source/JavaScriptCore:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGFixupPhase.cpp:
* runtime/GetterSetter.cpp:
* runtime/GetterSetter.h:
* runtime/JSGlobalObject.cpp:
(JSC::getGetterById):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::regExpProtoGlobalGetter const):
(JSC::JSGlobalObject::regExpProtoUnicodeGetter const):
(JSC::JSGlobalObject::getterSetterStructure const):
* runtime/JSType.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@250932 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 1d84f4e..25632e9 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,12 @@
+2019-10-09 Yusuke Suzuki <ysuzuki@apple.com>
+
+ Unreviewed, roll out r250878
+ https://bugs.webkit.org/show_bug.cgi?id=202656
+
+ Breaking vimeo page.
+
+ * stress/getter-setter-should-be-cell.js: Removed.
+
2019-10-08 Yusuke Suzuki <ysuzuki@apple.com>
[JSC] GetterSetter should be JSCell, not JSObject
diff --git a/JSTests/stress/getter-setter-should-be-cell.js b/JSTests/stress/getter-setter-should-be-cell.js
deleted file mode 100644
index d9ce5d2..0000000
--- a/JSTests/stress/getter-setter-should-be-cell.js
+++ /dev/null
@@ -1,26 +0,0 @@
-//@ runDefault("--validateAbstractInterpreterState=1", "--forceEagerCompilation=1")
-String.__proto__ = createGlobalObject();
-const that = {};
-that.__proto__ = String;
-
-function foo() {
- with (that) {
- function bar(a0, a1) {
- const v0 = '';
- const v1 = undefined;
- const v2 = undefined;
- const v3 = undefined;
- const p = { get: ()=>{} };
- for (let j = 0; j < 1; j++) {
- function f0() {}
- const v4 = Object.defineProperty(''.__proto__, '__proto__', p);
- }
- const v5 = undefined;
- }
- for (let i = 0; i < 100; i++) {
- new Promise(bar);
- }
- }
-}
-
-foo();
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index bfe319f..2b09986 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,28 @@
+2019-10-09 Yusuke Suzuki <ysuzuki@apple.com>
+
+ Unreviewed, roll out r250878
+ https://bugs.webkit.org/show_bug.cgi?id=202656
+
+ Breaking vimeo page.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGFixupPhase.cpp:
+ * runtime/GetterSetter.cpp:
+ * runtime/GetterSetter.h:
+ * runtime/JSGlobalObject.cpp:
+ (JSC::getGetterById):
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::regExpProtoGlobalGetter const):
+ (JSC::JSGlobalObject::regExpProtoUnicodeGetter const):
+ (JSC::JSGlobalObject::getterSetterStructure const):
+ * runtime/JSType.h:
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
2019-10-09 Adrian Perez de Castro <aperez@igalia.com>
Unreviewed build fix for non-unified builds.
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index d41c045..5a63b42 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -3466,7 +3466,12 @@
break;
}
- setForNode(node, m_vm.getterSetterStructure.get());
+ if (base.value() && base.value().isObject()) {
+ setForNode(node, asObject(base.value())->globalObject()->getterSetterStructure());
+ break;
+ }
+
+ setTypeForNode(node, SpecObjectOther);
break;
}
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
index e1e1678..3f1c891 100644
--- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -34,7 +34,6 @@
#include "DFGPhase.h"
#include "DFGPredictionPropagationPhase.h"
#include "DFGVariableAccessDataDump.h"
-#include "GetterSetter.h"
#include "JSCInlines.h"
#include "TypeLocation.h"
diff --git a/Source/JavaScriptCore/runtime/GetterSetter.cpp b/Source/JavaScriptCore/runtime/GetterSetter.cpp
index c8ea8be..998d184 100644
--- a/Source/JavaScriptCore/runtime/GetterSetter.cpp
+++ b/Source/JavaScriptCore/runtime/GetterSetter.cpp
@@ -33,7 +33,7 @@
STATIC_ASSERT_IS_TRIVIALLY_DESTRUCTIBLE(GetterSetter);
-const ClassInfo GetterSetter::s_info = { "GetterSetter", nullptr, nullptr, nullptr, CREATE_METHOD_TABLE(GetterSetter) };
+const ClassInfo GetterSetter::s_info = { "GetterSetter", &Base::s_info, nullptr, nullptr, CREATE_METHOD_TABLE(GetterSetter) };
void GetterSetter::visitChildren(JSCell* cell, SlotVisitor& visitor)
{
diff --git a/Source/JavaScriptCore/runtime/GetterSetter.h b/Source/JavaScriptCore/runtime/GetterSetter.h
index 67f3f63..f10478b 100644
--- a/Source/JavaScriptCore/runtime/GetterSetter.h
+++ b/Source/JavaScriptCore/runtime/GetterSetter.h
@@ -40,12 +40,12 @@
// that if a property holding a GetterSetter reference is constant-inferred and
// that constant is observed to have a non-null setter (or getter) then we can
// constant fold that setter (or getter).
-class GetterSetter final : public JSCell {
+class GetterSetter final : public JSNonFinalObject {
friend class JIT;
- using Base = JSCell;
+ typedef JSNonFinalObject Base;
private:
GetterSetter(VM& vm, JSGlobalObject* globalObject, JSObject* getter, JSObject* setter)
- : Base(vm, vm.getterSetterStructure.get())
+ : Base(vm, globalObject->getterSetterStructure())
{
WTF::storeStoreFence();
m_getter.set(vm, this, getter ? getter : globalObject->nullGetterFunction());
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
index b3fc404..d9569793 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
+++ b/Source/JavaScriptCore/runtime/JSGlobalObject.cpp
@@ -450,12 +450,12 @@
m_globalThis.set(vm, this, globalThis);
}
-static GetterSetter* getGetterById(ExecState* exec, JSObject* base, const Identifier& ident)
+static JSObject* getGetterById(ExecState* exec, JSObject* base, const Identifier& ident)
{
JSValue baseValue = JSValue(base);
PropertySlot slot(baseValue, PropertySlot::InternalMethodType::VMInquiry);
baseValue.getPropertySlot(exec, ident, slot);
- return jsCast<GetterSetter*>(slot.getPureResult());
+ return slot.getPureResult().toObject(exec);
}
template<ErrorType errorType>
@@ -514,6 +514,7 @@
[] (const Initializer<Structure>& init) {
init.set(JSBoundFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
});
+ m_getterSetterStructure.set(vm, this, GetterSetter::createStructure(vm, this, jsNull()));
m_nativeStdFunctionStructure.initLater(
[] (const Initializer<Structure>& init) {
init.set(JSNativeStdFunction::createStructure(init.vm, init.owner, init.owner->m_functionPrototype.get()));
@@ -938,22 +939,22 @@
JSFunction* privateFuncSetBucketNext = JSFunction::create(vm, this, 0, String(), setPrivateFuncSetBucketNext, JSSetBucketNextIntrinsic);
JSFunction* privateFuncSetBucketKey = JSFunction::create(vm, this, 0, String(), setPrivateFuncSetBucketKey, JSSetBucketKeyIntrinsic);
- GetterSetter* regExpProtoFlagsGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->flags);
+ JSObject* regExpProtoFlagsGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->flags);
catchScope.assertNoException();
- GetterSetter* regExpProtoGlobalGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->global);
+ JSObject* regExpProtoGlobalGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->global);
catchScope.assertNoException();
- m_regExpProtoGlobalGetter.set(vm, this, regExpProtoGlobalGetter);
- GetterSetter* regExpProtoIgnoreCaseGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->ignoreCase);
+ m_regExpProtoGlobalGetter.set(vm, this, regExpProtoGlobalGetterObject);
+ JSObject* regExpProtoIgnoreCaseGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->ignoreCase);
catchScope.assertNoException();
- GetterSetter* regExpProtoMultilineGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->multiline);
+ JSObject* regExpProtoMultilineGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->multiline);
catchScope.assertNoException();
- GetterSetter* regExpProtoSourceGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->source);
+ JSObject* regExpProtoSourceGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->source);
catchScope.assertNoException();
- GetterSetter* regExpProtoStickyGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->sticky);
+ JSObject* regExpProtoStickyGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->sticky);
catchScope.assertNoException();
- GetterSetter* regExpProtoUnicodeGetter = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->unicode);
+ JSObject* regExpProtoUnicodeGetterObject = getGetterById(exec, m_regExpPrototype.get(), vm.propertyNames->unicode);
catchScope.assertNoException();
- m_regExpProtoUnicodeGetter.set(vm, this, regExpProtoUnicodeGetter);
+ m_regExpProtoUnicodeGetter.set(vm, this, regExpProtoUnicodeGetterObject);
JSObject* builtinRegExpExec = asObject(m_regExpPrototype->getDirect(vm, vm.propertyNames->exec).asCell());
m_regExpProtoExec.set(vm, this, builtinRegExpExec);
JSObject* regExpSymbolReplace = asObject(m_regExpPrototype->getDirect(vm, vm.propertyNames->replaceSymbol).asCell());
@@ -1023,13 +1024,13 @@
GlobalPropertyInfo(vm.propertyNames->builtinNames().isConstructorPrivateName(), JSFunction::create(vm, this, 1, String(), esSpecIsConstructor, NoIntrinsic), PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoFlagsGetterPrivateName(), regExpProtoFlagsGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoGlobalGetterPrivateName(), regExpProtoGlobalGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoIgnoreCaseGetterPrivateName(), regExpProtoIgnoreCaseGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoMultilineGetterPrivateName(), regExpProtoMultilineGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoSourceGetterPrivateName(), regExpProtoSourceGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoStickyGetterPrivateName(), regExpProtoStickyGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
- GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoUnicodeGetterPrivateName(), regExpProtoUnicodeGetter, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoFlagsGetterPrivateName(), regExpProtoFlagsGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoGlobalGetterPrivateName(), regExpProtoGlobalGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoIgnoreCaseGetterPrivateName(), regExpProtoIgnoreCaseGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoMultilineGetterPrivateName(), regExpProtoMultilineGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoSourceGetterPrivateName(), regExpProtoSourceGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoStickyGetterPrivateName(), regExpProtoStickyGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
+ GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpProtoUnicodeGetterPrivateName(), regExpProtoUnicodeGetterObject, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
// RegExp.prototype helpers.
GlobalPropertyInfo(vm.propertyNames->builtinNames().regExpBuiltinExecPrivateName(), builtinRegExpExec, PropertyAttribute::DontEnum | PropertyAttribute::DontDelete | PropertyAttribute::ReadOnly),
@@ -1759,6 +1760,7 @@
thisObject->m_customGetterSetterFunctionStructure.visit(visitor);
thisObject->m_boundFunctionStructure.visit(visitor);
+ visitor.append(thisObject->m_getterSetterStructure);
thisObject->m_nativeStdFunctionStructure.visit(visitor);
visitor.append(thisObject->m_regExpStructure);
visitor.append(thisObject->m_generatorFunctionStructure);
diff --git a/Source/JavaScriptCore/runtime/JSGlobalObject.h b/Source/JavaScriptCore/runtime/JSGlobalObject.h
index 22689cf..be1bd25 100644
--- a/Source/JavaScriptCore/runtime/JSGlobalObject.h
+++ b/Source/JavaScriptCore/runtime/JSGlobalObject.h
@@ -306,8 +306,8 @@
LazyProperty<JSGlobalObject, GetterSetter> m_throwTypeErrorGetterSetter;
WriteBarrier<JSObject> m_regExpProtoExec;
WriteBarrier<JSObject> m_regExpProtoSymbolReplace;
- WriteBarrier<GetterSetter> m_regExpProtoGlobalGetter;
- WriteBarrier<GetterSetter> m_regExpProtoUnicodeGetter;
+ WriteBarrier<JSObject> m_regExpProtoGlobalGetter;
+ WriteBarrier<JSObject> m_regExpProtoUnicodeGetter;
WriteBarrier<GetterSetter> m_throwTypeErrorArgumentsCalleeAndCallerGetterSetter;
LazyProperty<JSGlobalObject, JSModuleLoader> m_moduleLoader;
@@ -365,6 +365,7 @@
LazyProperty<JSGlobalObject, Structure> m_boundFunctionStructure;
LazyProperty<JSGlobalObject, Structure> m_customGetterSetterFunctionStructure;
+ WriteBarrier<Structure> m_getterSetterStructure;
LazyProperty<JSGlobalObject, Structure> m_nativeStdFunctionStructure;
PropertyOffset m_functionNameOffset;
WriteBarrier<Structure> m_regExpStructure;
@@ -621,8 +622,8 @@
JSFunction* functionProtoHasInstanceSymbolFunction() const { return m_functionProtoHasInstanceSymbolFunction.get(); }
JSObject* regExpProtoExecFunction() const { return m_regExpProtoExec.get(); }
JSObject* regExpProtoSymbolReplaceFunction() const { return m_regExpProtoSymbolReplace.get(); }
- GetterSetter* regExpProtoGlobalGetter() const { return m_regExpProtoGlobalGetter.get(); }
- GetterSetter* regExpProtoUnicodeGetter() const { return m_regExpProtoUnicodeGetter.get(); }
+ JSObject* regExpProtoGlobalGetter() const { return m_regExpProtoGlobalGetter.get(); }
+ JSObject* regExpProtoUnicodeGetter() const { return m_regExpProtoUnicodeGetter.get(); }
GetterSetter* throwTypeErrorArgumentsCalleeAndCallerGetterSetter()
{
return m_throwTypeErrorArgumentsCalleeAndCallerGetterSetter.get();
@@ -747,6 +748,7 @@
Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(this); }
Structure* customGetterSetterFunctionStructure() const { return m_customGetterSetterFunctionStructure.get(this); }
+ Structure* getterSetterStructure() const { return m_getterSetterStructure.get(); }
Structure* nativeStdFunctionStructure() const { return m_nativeStdFunctionStructure.get(this); }
PropertyOffset functionNameOffset() const { return m_functionNameOffset; }
Structure* numberObjectStructure() const { return m_numberObjectStructure.get(this); }
diff --git a/Source/JavaScriptCore/runtime/JSType.h b/Source/JavaScriptCore/runtime/JSType.h
index 6e99687..e930fd3 100644
--- a/Source/JavaScriptCore/runtime/JSType.h
+++ b/Source/JavaScriptCore/runtime/JSType.h
@@ -29,7 +29,6 @@
SymbolType,
BigIntType,
- GetterSetterType,
CustomGetterSetterType,
APIValueWrapperType,
@@ -89,6 +88,8 @@
DataViewType,
// End JSArrayBufferView types.
+ GetterSetterType,
+
// JSScope <- JSWithScope
// <- StrictEvalActivation
// <- JSSymbolTableObject <- JSLexicalEnvironment <- JSModuleEnvironment
diff --git a/Source/JavaScriptCore/runtime/VM.cpp b/Source/JavaScriptCore/runtime/VM.cpp
index cbfdd21..adb5a91 100644
--- a/Source/JavaScriptCore/runtime/VM.cpp
+++ b/Source/JavaScriptCore/runtime/VM.cpp
@@ -342,7 +342,6 @@
propertyNames = new CommonIdentifiers(*this);
terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
- getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));
customGetterSetterStructure.set(*this, CustomGetterSetter::createStructure(*this, 0, jsNull()));
domAttributeGetterSetterStructure.set(*this, DOMAttributeGetterSetter::createStructure(*this, 0, jsNull()));
scopedArgumentsTableStructure.set(*this, ScopedArgumentsTable::createStructure(*this, 0, jsNull()));
diff --git a/Source/JavaScriptCore/runtime/VM.h b/Source/JavaScriptCore/runtime/VM.h
index f813a2a..0700fca 100644
--- a/Source/JavaScriptCore/runtime/VM.h
+++ b/Source/JavaScriptCore/runtime/VM.h
@@ -504,7 +504,6 @@
Strong<Structure> terminatedExecutionErrorStructure;
Strong<Structure> stringStructure;
Strong<Structure> propertyNameEnumeratorStructure;
- Strong<Structure> getterSetterStructure;
Strong<Structure> customGetterSetterStructure;
Strong<Structure> domAttributeGetterSetterStructure;
Strong<Structure> scopedArgumentsTableStructure;
