Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Dec 2012 03:24:28 +0000 (03:24 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 14 Dec 2012 03:24:28 +0000 (03:24 +0000)
commit2864dd6ce933bf936590ec7d247840c032e9b749
treee4da042d91bf69ba4014c6f5c0cb7bdde8bf03f6
parent5f62ddf58d84bb44fdb1a5f7dbe7f712253a58af
Named lookups on HTML documents produce inconsistent results in JavaScriptCore bindings
https://bugs.webkit.org/show_bug.cgi?id=104623

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add the notion of objects that HasImpureGetOwnPropertySlot, and use that to inhibit prototype chain caching
in some cases. This appears to be perf-neutral on benchmarks that we track.

* dfg/DFGRepatch.cpp:
(JSC::DFG::tryCacheGetByID):
(JSC::DFG::tryBuildGetByIDProtoList):
* jit/JITStubs.cpp:
(JSC::JITThunks::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):
* runtime/JSTypeInfo.h:
(JSC):
(JSC::TypeInfo::hasImpureGetOwnPropertySlot):
* runtime/Operations.h:
(JSC::normalizePrototypeChainForChainAccess):

Source/WebCore:

All DOM objects that have named getters or directly override getOwnPropertySlot are now marked as
HasImpureGetOwnPropertySlot.

Tests: fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps
       fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateHeader):

LayoutTests:

* fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added.
* fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added.
* fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt: Added.
* fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html: Added.
* fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added.
(f):
* fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js: Added.
(f):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@137700 268f45cc-cd09-0410-ab3c-d52691b4dbfc
14 files changed:
LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.html [new file with mode: 0644]
LayoutTests/fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/prototype-chain-caching-with-impure-get-own-property-slot-traps.html [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-prototype-chain-caching-with-impure-get-own-property-slot-traps.js [new file with mode: 0644]
LayoutTests/fast/js/script-tests/prototype-chain-caching-with-impure-get-own-property-slot-traps.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGRepatch.cpp
Source/JavaScriptCore/jit/JITStubs.cpp
Source/JavaScriptCore/runtime/JSTypeInfo.h
Source/JavaScriptCore/runtime/Operations.h
Source/WebCore/ChangeLog
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm