[ES6] Module namespace object should not allow unset IC
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 Aug 2016 02:48:56 +0000 (02:48 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 8 Aug 2016 02:48:56 +0000 (02:48 +0000)
commita16ed78f7b95b04ef38685589b431cadd5f56477
treeb3819de42ab1ceb3af4c547c7ff0a1b37f5006fc
parent38cb4d17f2a99f0647e9bb687a7558f34d70f13c
[ES6] Module namespace object should not allow unset IC
https://bugs.webkit.org/show_bug.cgi?id=160553

Reviewed by Saam Barati.

JSTests:

* modules/namespace-object-get-property.js: Added.
(import.as.ns.from.string_appeared_here.shouldThrow):
* modules/namespace-object-has-property.js: Added.
* modules/namespace-object-inline-caching.js: Added.
(import.as.A.from.string_appeared_here.import.as.B.from.string_appeared_here.lookup):
(shouldBe.lookup.lookup):
(shouldBe.lookup):
* modules/namespace-object-inline-caching/a.js: Added.
* modules/namespace-object-inline-caching/b.js: Added.
* modules/namespace-object-try-get.js: Added.
(import.as.ns.from.string_appeared_here.tryGetByIdText):
(tryGetByIdTextStrict):
* modules/namespace-object-typed-array-fast-path.js: Added.
* test262.yaml:

Source/JavaScriptCore:

Previously, module namespace object accidentally allow "unset IC". But this "unsetness" does not rely on
the structure. We should disable inline caching onto the namespace object. Once it is needed, we should
create the special caching for namespace object like the following: it should be similar to monomorphic IC,
but it caches the object itself instead of the structure. It checks the object itself (And in DFG, it should be
CheckCell) and loads the value from the target module environment directly[1].

And this patch also set setIsTaintedByProxy for the module namespace object to notify to the caller that
this object has impure ::getOwnPropertySlot. Then this function is now renamed to setIsTaintedByOpaqueObject.

We drop the hack in JSModuleNamespaceObject::getOwnPropertySlot since we already introduced InternalMethodType
for ProxyObject. Previously we cannot distinguish ::HasProperty and ::GetOwnProperty. So not to throw any
errors for ::HasProperty case, we used slot.setCustom to delay the observable operation.
But, this hack lacks the support for hasOwnProperty: hasOwnProperty uses [[GetOwnProperty]], so it should throw an error.
However the previous implementation does not throw an error since the delayed observable part (custom function part) is
skipped in hasOwnProperty implementation. We now remove this custom property hack and fix the corresponding failure
in test262.

[1]: https://bugs.webkit.org/show_bug.cgi?id=160590

* jit/JITOperations.cpp:
* runtime/ArrayPrototype.cpp:
(JSC::getProperty):
* runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
* runtime/JSModuleNamespaceObject.cpp:
(JSC::JSModuleNamespaceObject::getOwnPropertySlot):
(JSC::callbackGetter): Deleted.
* runtime/JSModuleNamespaceObject.h:
* runtime/PropertySlot.cpp:
(JSC::PropertySlot::getPureResult):
* runtime/PropertySlot.h:
(JSC::PropertySlot::PropertySlot):
(JSC::PropertySlot::setIsTaintedByOpaqueObject):
(JSC::PropertySlot::isTaintedByOpaqueObject):
(JSC::PropertySlot::setIsTaintedByProxy): Deleted.
(JSC::PropertySlot::isTaintedByProxy): Deleted.
* runtime/ProxyObject.cpp:
(JSC::ProxyObject::getOwnPropertySlotCommon):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204248 268f45cc-cd09-0410-ab3c-d52691b4dbfc
18 files changed:
JSTests/ChangeLog
JSTests/modules/namespace-object-get-property.js [new file with mode: 0644]
JSTests/modules/namespace-object-has-property.js [new file with mode: 0644]
JSTests/modules/namespace-object-inline-caching.js [new file with mode: 0644]
JSTests/modules/namespace-object-inline-caching/a.js [new file with mode: 0644]
JSTests/modules/namespace-object-inline-caching/b.js [new file with mode: 0644]
JSTests/modules/namespace-object-try-get.js [new file with mode: 0644]
JSTests/modules/namespace-object-typed-array-fast-path.js [new file with mode: 0644]
JSTests/test262.yaml
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
Source/JavaScriptCore/runtime/JSModuleNamespaceObject.cpp
Source/JavaScriptCore/runtime/JSModuleNamespaceObject.h
Source/JavaScriptCore/runtime/PropertySlot.cpp
Source/JavaScriptCore/runtime/PropertySlot.h
Source/JavaScriptCore/runtime/ProxyObject.cpp