put_by_val_direct need to check the property is index or not for using putDirect...
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jan 2015 21:14:48 +0000 (21:14 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Jan 2015 21:14:48 +0000 (21:14 +0000)
commit81c7cb18240ed9920d1635c50920962fef4d748a
treef1e023f1f83fab57482bc74af25c0b7f87fcbeea
parente4b720765839b4bae0812e1f37b4dee8f24a5d6a
put_by_val_direct need to check the property is index or not for using putDirect / putDirectIndex
https://bugs.webkit.org/show_bug.cgi?id=140426

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

In the put_by_val_direct operation, we use JSObject::putDirect.
However, it only accepts non-index property. For index property, we need to use JSObject::putDirectIndex.
This patch changes Identifier::asIndex() to return Optional<uint32_t>.
It forces callers to check the value is index or not explicitly.
Additionally, it checks toString-ed Identifier is index or not to choose putDirect / putDirectIndex.

* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFor):
* bytecode/PutByIdStatus.cpp:
(JSC::PutByIdStatus::computeFor):
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitDirectPutById):
* dfg/DFGOperations.cpp:
(JSC::DFG::operationPutByValInternal):
* jit/JITOperations.cpp:
* jit/Repatch.cpp:
(JSC::emitPutTransitionStubAndGetOldStructure):
* jsc.cpp:
* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):
* runtime/Arguments.cpp:
(JSC::Arguments::getOwnPropertySlot):
(JSC::Arguments::put):
(JSC::Arguments::deleteProperty):
(JSC::Arguments::defineOwnProperty):
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSort):
* runtime/JSArray.cpp:
(JSC::JSArray::defineOwnProperty):
* runtime/JSCJSValue.cpp:
(JSC::JSValue::putToPrimitive):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
(JSC::JSGenericTypedArrayView<Adaptor>::put):
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
(JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
* runtime/JSObject.cpp:
(JSC::JSObject::put):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::putDirectCustomAccessor):
(JSC::JSObject::deleteProperty):
(JSC::JSObject::putDirectMayBeIndex):
(JSC::JSObject::defineOwnProperty):
* runtime/JSObject.h:
(JSC::JSObject::getOwnPropertySlot):
(JSC::JSObject::getPropertySlot):
(JSC::JSObject::putDirectInternal):
* runtime/JSString.cpp:
(JSC::JSString::getStringPropertyDescriptor):
* runtime/JSString.h:
(JSC::JSString::getStringPropertySlot):
* runtime/LiteralParser.cpp:
(JSC::LiteralParser<CharType>::parse):
* runtime/PropertyName.h:
(JSC::toUInt32FromCharacters):
(JSC::toUInt32FromStringImpl):
(JSC::PropertyName::asIndex):
* runtime/PropertyNameArray.cpp:
(JSC::PropertyNameArray::add):
* runtime/StringObject.cpp:
(JSC::StringObject::deleteProperty):
* runtime/Structure.cpp:
(JSC::Structure::prototypeChainMayInterceptStoreTo):

Source/WebCore:

Test: js/dfg-put-by-val-direct-with-edge-numbers.html

* bindings/js/JSDOMWindowCustom.cpp:
(WebCore::JSDOMWindow::getOwnPropertySlot):
* bindings/js/JSHTMLAllCollectionCustom.cpp:
(WebCore::callHTMLAllCollection):
(WebCore::JSHTMLAllCollection::item):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateGetOwnPropertySlotBody):
(GenerateImplementation):
* bindings/scripts/test/JS/JSFloat64Array.cpp:
(WebCore::JSFloat64Array::getOwnPropertySlot):
(WebCore::JSFloat64Array::getOwnPropertyDescriptor):
(WebCore::JSFloat64Array::put):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::JSTestEventTarget::getOwnPropertySlot):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::getOwnPropertySlot):
(JSC::RuntimeArray::put):

LayoutTests:

* js/dfg-put-by-val-direct-with-edge-numbers-expected.txt: Added.
* js/dfg-put-by-val-direct-with-edge-numbers.html: Added.
* js/script-tests/dfg-put-by-val-direct-with-edge-numbers.js: Added.
(lookupWithKey):
(lookupWithKey2):
(toStringThrowsError.toString):
* resources/js-test-pre.js:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@178751 268f45cc-cd09-0410-ab3c-d52691b4dbfc
35 files changed:
LayoutTests/ChangeLog
LayoutTests/js/dfg-put-by-val-direct-with-edge-numbers-expected.txt [new file with mode: 0644]
LayoutTests/js/dfg-put-by-val-direct-with-edge-numbers.html [new file with mode: 0644]
LayoutTests/js/script-tests/dfg-put-by-val-direct-with-edge-numbers.js [new file with mode: 0644]
LayoutTests/resources/js-test-pre.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/GetByIdStatus.cpp
Source/JavaScriptCore/bytecode/PutByIdStatus.cpp
Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/jit/Repatch.cpp
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/runtime/Arguments.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/JSArray.cpp
Source/JavaScriptCore/runtime/JSCJSValue.cpp
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSString.cpp
Source/JavaScriptCore/runtime/JSString.h
Source/JavaScriptCore/runtime/LiteralParser.cpp
Source/JavaScriptCore/runtime/PropertyName.h
Source/JavaScriptCore/runtime/PropertyNameArray.cpp
Source/JavaScriptCore/runtime/StringObject.cpp
Source/JavaScriptCore/runtime/Structure.cpp
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMWindowCustom.cpp
Source/WebCore/bindings/js/JSHTMLAllCollectionCustom.cpp
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bindings/scripts/test/JS/JSFloat64Array.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp
Source/WebCore/bridge/runtime_array.cpp