[JSC] GetterSetter should be JSCell, not JSObject
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Oct 2019 00:25:25 +0000 (00:25 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 9 Oct 2019 00:25:25 +0000 (00:25 +0000)
commit341f513fb964251ecba03ec6dfc631cd498cb23f
treed19498724ae02c91c0293711045b2ed67f3e4786
parentb5eb003b64fe999b2d65d2da908b6b3987c1c013
[JSC] GetterSetter should be JSCell, not JSObject
https://bugs.webkit.org/show_bug.cgi?id=202656

Reviewed by Tadeu Zagallo and Saam Barati.

JSTests:

* stress/getter-setter-should-be-cell.js: Added.
(foo.with.):
(foo.with.get for):
(foo.with.bar):
(foo):

Source/JavaScriptCore:

Essentially, GetterSetter is not a JSObject. It is like a JSCell. But we made GetterSetter JSObject
to leverage existing strict-eq implementations for JSObject: pointer-comparison. But given the following
conditions,

1. GetterSetter strict-eq comparison only happens in builtin code when using @tryGetById.
2. RHS of that comparison is always folded into constant in DFG.
3. We already use pointer-comparison for cells that are neither JSString nor JSBigInt.
4. DFG strength reduction already has a rule which makes `CompareStrictEq(Cell-not-JSString/JSBigInt, Constant)` `ComparePtrEq`.

So we already support non-JSString/JSBigInt cell comparison in JSC JS code. We should use it instead of making GetterSetter JSObject.
This patch makes GetterSetter JSCell, and makes getterSetterStructure per-VM structure.

The attached test reported AI validation failure. AI assumed that GetterSetter's realm should be the same to the base object. But
this is incorrect in our runtime code: we are creating GetterSetter with lexical realm (JSGlobalObject). But the fundamental problem
is that GetterSetter is JSObject and tied to JSGlobalObject while it is not necessary.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGFixupPhase.cpp:
* runtime/GetterSetter.cpp:
* runtime/GetterSetter.h:
* runtime/JSGlobalObject.cpp:
(JSC::getGetterById):
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::regExpProtoGlobalGetter const):
(JSC::JSGlobalObject::regExpProtoUnicodeGetter const):
(JSC::JSGlobalObject::customGetterSetterFunctionStructure const):
(JSC::JSGlobalObject::getterSetterStructure const): Deleted.
* runtime/JSType.h:
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@250878 268f45cc-cd09-0410-ab3c-d52691b4dbfc
12 files changed:
JSTests/ChangeLog
JSTests/stress/getter-setter-should-be-cell.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/runtime/GetterSetter.cpp
Source/JavaScriptCore/runtime/GetterSetter.h
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.h
Source/JavaScriptCore/runtime/JSType.h
Source/JavaScriptCore/runtime/VM.cpp
Source/JavaScriptCore/runtime/VM.h