JSObject::putInlineSlow should not ignore "__proto__" for Proxy
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 16 Sep 2019 19:32:39 +0000 (19:32 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 16 Sep 2019 19:32:39 +0000 (19:32 +0000)
commit17b927ea0dedded5de8356b366a60bf70c9bff45
tree9bb1d533fa488f4569f4dcd22d1c7d8f0cddf94f
parentf567eeeb194e46e7cd7557b668ecd5c8f66a0636
JSObject::putInlineSlow should not ignore "__proto__" for Proxy
https://bugs.webkit.org/show_bug.cgi?id=200386
<rdar://problem/53854946>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/proxy-__proto__-in-prototype-chain.js: Added.
* stress/proxy-property-replace-structure-transition.js: Added.

Source/JavaScriptCore:

We used to ignore '__proto__' in putInlineSlow when the object in question
was Proxy. There is no reason for this, and it goes against the spec. So
I've removed that condition. This also has the effect that it fixes an
assertion firing inside our inline caching code which dictates that for a
property replace that the base value's structure must be equal to the
structure when we grabbed the structure prior to the put operation.
The old code caused a weird edge case where we broke this invariant.

* runtime/JSObject.cpp:
(JSC::JSObject::putInlineSlow):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249911 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/proxy-__proto__-in-prototype-chain.js [new file with mode: 0644]
JSTests/stress/proxy-property-replace-structure-transition.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.cpp