[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.17-1283-gcf603cf
oliver at apple.com
oliver at apple.com
Tue Jan 5 23:47:04 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit ee56e9b1f6b73d421e984d045545e0ed1f037f94
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Fri Dec 11 02:22:07 2009 +0000
Incorrect caching of prototype lookup with dictionary base
https://bugs.webkit.org/show_bug.cgi?id=32402
Reviewed by Gavin Barraclough
Make sure we don't add cached prototype lookup to the proto_list
lookup chain if the top level object is a dictionary.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51976 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index f1b176a..3e9187b 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2009-12-10 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ Incorrect caching of prototype lookup with dictionary base
+ https://bugs.webkit.org/show_bug.cgi?id=32402
+
+ Make sure we don't add cached prototype lookup to the proto_list
+ lookup chain if the top level object is a dictionary.
+
+ * jit/JITStubs.cpp:
+ (JSC::JITThunks::tryCacheGetByID):
+
2009-12-10 Gavin Barraclough <barraclough at apple.com>
Reviewed by Oliver Hunt.
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index 1a7f57f..8dd7a97 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -847,6 +847,8 @@ NEVER_INLINE void JITThunks::tryCacheGetByID(CallFrame* callFrame, CodeBlock* co
stubInfo->initGetByIdProto(structure, slotBaseObject->structure());
+ ASSERT(!structure->isDictionary());
+ ASSERT(!slotBaseObject->structure()->isDictionary());
JIT::compileGetByIdProto(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, slotBaseObject->structure(), slot.cachedOffset(), returnAddress);
return;
}
@@ -1365,7 +1367,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list)
CHECK_FOR_EXCEPTION();
- if (!baseValue.isCell() || !slot.isCacheable() || asCell(baseValue)->structure()->isUncacheableDictionary()) {
+ if (!baseValue.isCell() || !slot.isCacheable() || asCell(baseValue)->structure()->isDictionary()) {
ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
return JSValue::encode(result);
}
@@ -1380,6 +1382,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list)
if (slot.slotBase() == baseValue)
ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
else if (slot.slotBase() == asCell(baseValue)->structure()->prototypeForLookup(callFrame)) {
+ ASSERT(!asCell(baseValue)->structure()->isDictionary());
// Since we're accessing a prototype in a loop, it's a good bet that it
// should not be treated as a dictionary.
if (slotBaseObject->structure()->isDictionary())
@@ -1393,6 +1396,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list)
if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1))
ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full));
} else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase())) {
+ ASSERT(!asCell(baseValue)->structure()->isDictionary());
int listIndex;
PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d03903d..658decb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-12-10 Oliver Hunt <oliver at apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ Incorrect caching of prototype lookup with dictionary base
+ https://bugs.webkit.org/show_bug.cgi?id=32402
+
+ Adding test for prototype caching through a dictionary
+
+ * fast/js/dictionary-prototype-caching-expected.txt:
+ * fast/js/script-tests/dictionary-prototype-caching.js:
+ (testFunction):
+
2009-12-10 Alexey Proskuryakov <ap at apple.com>
Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt b/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt
index 72c4073..6184a75 100644
--- a/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt
+++ b/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt
@@ -7,6 +7,9 @@ PASS protoTest(o) is 'PASS'
PASS protoTest(o) is undefined.
PASS protoKeys is [1,2,3]
PASS protoKeys is [1,2,3]
+PASS testFunction(subclass1) is true
+PASS testFunction(subclass2) is true
+PASS testFunction(subclass2) is true
PASS successfullyParsed is true
TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js b/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js
index 68ba1c6..8fc2636 100644
--- a/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js
+++ b/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js
@@ -54,4 +54,21 @@ for (var i in proto)
shouldBe("protoKeys", "[1,2,3]");
+function testFunction(o) {
+ return o.test;
+}
+
+var proto = { test: true };
+var subclass1 = { __proto__: proto };
+var subclass2 = { __proto__: proto };
+for (var i = 0; i < 500; i++)
+ subclass2["a"+i]="a"+i;
+
+testFunction(subclass1);
+shouldBeTrue("testFunction(subclass1)");
+shouldBeTrue("testFunction(subclass2)");
+proto.test = false
+subclass2.test = true;
+shouldBeTrue("testFunction(subclass2)");
+
successfullyParsed = true;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list