Fixes operationPutByIds such that they check that the put didn't
authormmirman@apple.com <mmirman@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 10 Dec 2014 19:36:32 +0000 (19:36 +0000)
committermmirman@apple.com <mmirman@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 10 Dec 2014 19:36:32 +0000 (19:36 +0000)
commit3e558bda0e1f355b9ac93e930201082d417b9af3
treea28ee1324886f24643391e1c5a680497c8520ccf
parent09c2011bfc3d63cf119e70e051182b25d3bc2f8e
Fixes operationPutByIds such that they check that the put didn't
change the structure of the object who's property access is being
cached.
https://bugs.webkit.org/show_bug.cgi?id=139196

Reviewed by Filip Pizlo.

* jit/JITOperations.cpp:
(JSC::operationGetByIdOptimize): changed get to getPropertySlot
(JSC::operationPutByIdStrictBuildList): saved the structure before the put.
(JSC::operationPutByIdNonStrictBuildList): ditto.
(JSC::operationPutByIdDirectStrictBuildList): ditto.
(JSC::operationPutByIdDirectNonStrictBuildList): ditto.
* jit/Repatch.cpp:
(JSC::tryCachePutByID): fixed structure() to use the existant vm.
(JSC::tryBuildPutByIdList): Added a check that the old structure's id
is the same as the new.
(JSC::buildPutByIdList): Added an argument
* jit/Repatch.h:
(JSC::buildPutByIdList): Added an argument
* tests/stress/put-by-id-strict-build-list-order.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@177083 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/jit/Repatch.cpp
Source/JavaScriptCore/jit/Repatch.h
Source/JavaScriptCore/tests/stress/put-by-id-strict-build-list-order.js [new file with mode: 0644]