PropertyAttribute needs a CustomValue bit.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Dec 2018 02:42:27 +0000 (02:42 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 11 Dec 2018 02:42:27 +0000 (02:42 +0000)
commit50c5d5da3f67f63cf515ed13342fe2f12affe6b0
treef1e2d7d798dd5d7bf277ce31724580bcdaaa6809
parent9bb52e56f48ec057a2d5398a7a9eeab162da7ed1
PropertyAttribute needs a CustomValue bit.
https://bugs.webkit.org/show_bug.cgi?id=191993
<rdar://problem/46264467>

Reviewed by Saam Barati.

JSTests:

* stress/regress-191993.js: Added.

Source/JavaScriptCore:

This is because GetByIdStatus needs to distinguish CustomValue properties from
other types, and its only means of doing so is via the property's attributes.
Previously, there's nothing in the property's attributes that can indicate that
the property is a CustomValue.

We fix this by doing the following:

1. Added a PropertyAttribute::CustomValue bit.
2. Added a PropertyAttribute::CustomAccessorOrValue convenience bit mask that is
   CustomAccessor | CustomValue.

3. Since CustomGetterSetter properties are only set via JSObject::putDirectCustomAccessor(),
   we added a check in JSObject::putDirectCustomAccessor() to see if the attributes
   bits include PropertyAttribute::CustomAccessor.  If not, then the property
   must be a CustomValue, and we'll add the PropertyAttribute::CustomValue bit
   to the attributes bits.

   This ensures that the property attributes is sufficient to tell us if the
   property contains a CustomGetterSetter.

4. Updated all checks for PropertyAttribute::CustomAccessor to check for
   PropertyAttribute::CustomAccessorOrValue instead if their intent is to check
   for the presence of a CustomGetterSetter as opposed to checking specifically
   for one that is used as a CustomAccessor.

   This includes all the Structure transition code that needs to capture the
   attributes change when a CustomValue has been added.

5. Filtered out the PropertyAttribute::CustomValue bit in PropertyDescriptor.
   The fact that we're using a CustomGetterSetter as a CustomValue should remain
   invisible to the descriptor.  This is because the descriptor should describe
   a CustomValue no differently from a plain value.

6. Added some asserts to ensure that property attributes are as expected, and to
   document some invariants.

* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
(JSC::GetByIdStatus::computeFor):
* bytecode/InByIdStatus.cpp:
(JSC::InByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* runtime/JSFunction.cpp:
(JSC::getCalculatedDisplayName):
* runtime/JSObject.cpp:
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::putDirectNonIndexAccessor):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
* runtime/JSObject.h:
(JSC::JSObject::putDirectIndex):
(JSC::JSObject::fillCustomGetterPropertySlot):
(JSC::JSObject::putDirect):
* runtime/JSObjectInlines.h:
(JSC::JSObject::putDirectInternal):
* runtime/PropertyDescriptor.cpp:
(JSC::PropertyDescriptor::setDescriptor):
(JSC::PropertyDescriptor::setCustomDescriptor):
(JSC::PropertyDescriptor::setAccessorDescriptor):
* runtime/PropertySlot.h:
(JSC::PropertySlot::setCustomGetterSetter):

Source/WebCore:

This patch revealed a bug in the CodeGenerator where a constructor property is
set with a ReadOnly attribute.  This conflicts with the WebIDL link (see clause
12 in https://heycam.github.io/webidl/#interface-prototype-object) which states
that it should be [Writable].  The ReadOnly attribute is now removed.

On the WebCore side, this change is covered by existing tests.

* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp:
(WebCore::jsTestCustomConstructorWithNoInterfaceObjectConstructor):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@239062 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
JSTests/ChangeLog
JSTests/stress/regress-191993.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
Source/JavaScriptCore/bytecode/InByIdStatus.cpp
Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
Source/JavaScriptCore/runtime/JSFunction.cpp
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSObjectInlines.h
Source/JavaScriptCore/runtime/PropertyDescriptor.cpp
Source/JavaScriptCore/runtime/PropertySlot.h
Source/WebCore/ChangeLog
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bindings/scripts/test/JS/JSTestCustomConstructorWithNoInterfaceObject.cpp