We should not add InferredTypeTables to old Structures
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Oct 2015 23:09:33 +0000 (23:09 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Oct 2015 23:09:33 +0000 (23:09 +0000)
commit4a9461216c8964deacba0876b13dcd3f218a600a
tree50a19afcdab408a6c4d6bba64e5d2139970b7ff1
parentcbdbfe9520f73b60d7cfc986b5b5df47bbc556fd
We should not add InferredTypeTables to old Structures
https://bugs.webkit.org/show_bug.cgi?id=149767
rdar://problem/22825526

Patch by Filip Pizlo <fpizlo@apple.com> and Mark Lam <mark.lam@apple.com> on 2015-10-02
Reviewed by Saam Barati.

Our property type inference has an optimization where the absence of an InferredTypeTable is
taken to mean that all properties are TOP. This is great because most Structures come into
existence through reflective stores, and we don't want to waste time inferring types for
those.

But our code was not obeying this rule properly. If we were doing a transition, we would
assume that this meant that we were creating a new structure, and so we would give it an
InferredTypeTable if we were doing a non-reflective store (i.e. context = PutById). But that
same structure could already have been in use prior to us giving it an InferredTypeTable. At
that point bad things will start to happen because the objects created before we created the
table, and the inline caches compiled before then, will have types that disagree with the new
objects and inline caches despite them sharing the same structure and property names.

* runtime/JSObject.h:
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::putDirectWithoutTransition):
* runtime/Structure.h:
* tests/stress/add-inferred-type-table-to-existing-structure.js: Added.
(foo):
(bar):
(baz):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@190529 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/Structure.h
Source/JavaScriptCore/tests/stress/add-inferred-type-table-to-existing-structure.js [new file with mode: 0644]