9842c0411d1311d31bcb2b2018bb4dc8bee4fc60 - WebKit

commit	9842c0411d1311d31bcb2b2018bb4dc8bee4fc60	[log] [tgz]
author	utatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Mon Jul 27 23:51:28 2015 +0000
committer	utatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Mon Jul 27 23:51:28 2015 +0000
tree	bef49d6ef99b54d1cc6f940ff48b134911b302ca
parent	be039137d7717780d975ebf27ea8bb82181e918f [diff]

SparseValueMap check is skipped when the butterfly's vectorLength is larger than the access-requested index
https://bugs.webkit.org/show_bug.cgi?id=147265

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

JSObject's vector holds the indexed values and we leverage it to represent stored values and holes.
By checking that the given index is in-bound of the vector's length, we can look up the property fast.
And for the sparse array, we have also the separated SparseValueMap to hold the pairs.
And we need to take care that the length of the vector should not overlap the indices stored in the SparseValueMap.

The vector only holds the pure JS values to avoid additional checking for accessors when looking up the value
from the vector. To achieve this, we also store the accessors (and attributed properties) to SparseValueMap
even the index is less than MIN_SPARSE_ARRAY_INDEX.

As a result, if the length of the vector overlaps the indices of the accessors stored in the SparseValueMap,
we accidentally skip the phase looking up from the SparseValueMap. Instead, we just load from the vector and
if the loaded value is an array hole, we decide the given object does not have the value for the given index.

This patch fixes the problem.
When defining the attributed value that index is smaller than the length of the vector, we throw away the vector
and change the object to DictionaryIndexingMode. Since we can assume that indexed accessors rarely exist in
practice, we expect this does not hurt the performance while keeping the fast property access system without
checking the sparse map.

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexBeyondVectorLength):
* tests/stress/sparse-map-non-overlapping.js: Added.
(shouldBe):
(testing):
(object.get 1000):
* tests/stress/sparse-map-non-skip-getter-overriding.js: Added.
(shouldBe):
(obj.get 1):
(testing):
* tests/stress/sparse-map-non-skip.js: Added.
(shouldBe):
(testing):
(testing2):
(.get for):

LayoutTests:

The previous test "basic-computed-property-name.js" has the issue[1] and
the issue is fixed by this patch.

[1]: https://bugs.webkit.org/show_bug.cgi?id=142943

* js/basic-computed-property-name-expected.txt:
* js/script-tests/basic-computed-property-name.js:

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@187464 268f45cc-cd09-0410-ab3c-d52691b4dbfc

8 files changed

tree: bef49d6ef99b54d1cc6f940ff48b134911b302ca