putDirectIndex does not properly do defineOwnProperty
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 May 2017 22:35:31 +0000 (22:35 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 5 May 2017 22:35:31 +0000 (22:35 +0000)
commitb2c9cb42808143356ca18a6bfb319ba784f55d52
treeb2b37ca269f38e63a1ef7ee5591b4f7fc3817332
parent85a7138a45f09638f2efeff30c30dbc990c4cd13
putDirectIndex does not properly do defineOwnProperty
https://bugs.webkit.org/show_bug.cgi?id=171591
<rdar://problem/31735695>

Reviewed by Geoffrey Garen.

JSTests:

* stress/array-prototype-splice-making-typed-array.js:
(test):
* stress/array-species-config-array-constructor.js:
(shouldThrow):
(test):
* stress/put-direct-index-broken-2.js: Added.
(assert):
(test):
(makeLengthWritable):
(set get restoreOldDesc):
* stress/put-direct-index-broken.js: Added.
(whatToTest):
(tryRunning):
(tryItOut):
* stress/put-indexed-getter-setter.js: Added.
(foo.X.prototype.set 7):
(foo.X.prototype.get 7):
(foo.X):
(foo):

Source/JavaScriptCore:

This patch fixes putDirectIndex and its JIT implementations to be
compatible with the ES6 spec. I think our code became out of date
when we implemented ArraySpeciesCreate since ArraySpeciesCreate may
return arbitrary objects. We perform putDirectIndex on that arbitrary
object. The behavior we want is as if we performed defineProperty({configurable:true, enumerable:true, writable:true}).
However, we weren't doing this. putDirectIndex assumed it could just splat
data into any descendent of JSObject's butterfly. For example, this means
we'd just splat into the butterfly of a typed array, even though a typed
array doesn't use its butterfly to store its indexed properties in the usual
way. Also, typed array properties are non-configurable, so this operation
should throw. This also means if we saw a ProxyObject, we'd just splat
into its butterfly, but this is obviously wrong because ProxyObject should
intercept the defineProperty operation.

This patch fixes this issue by adding a whitelist of cell types that can
go down putDirectIndex's fast path. Anything not in that whitelist will
simply call into defineOwnProperty.

* bytecode/ByValInfo.h:
(JSC::jitArrayModePermitsPutDirect):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine):
* jit/JITOperations.cpp:
* runtime/ArrayPrototype.cpp:
(JSC::arrayProtoFuncSplice):
* runtime/ClonedArguments.cpp:
(JSC::ClonedArguments::createStructure):
* runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::defineOwnProperty):
* runtime/JSObject.cpp:
(JSC::canDoFastPutDirectIndex):
(JSC::JSObject::defineOwnIndexedProperty):
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
(JSC::JSObject::putDirectIndexBeyondVectorLength): Deleted.
* runtime/JSObject.h:
(JSC::JSObject::putDirectIndex):
(JSC::JSObject::canSetIndexQuicklyForPutDirect): Deleted.
* runtime/JSType.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@216279 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
JSTests/ChangeLog
JSTests/stress/array-prototype-splice-making-typed-array.js
JSTests/stress/array-species-config-array-constructor.js
JSTests/stress/put-direct-index-broken-2.js [new file with mode: 0644]
JSTests/stress/put-direct-index-broken.js [new file with mode: 0644]
JSTests/stress/put-indexed-getter-setter.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ByValInfo.h
Source/JavaScriptCore/dfg/DFGArrayMode.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/ClonedArguments.cpp
Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
Source/JavaScriptCore/runtime/JSObject.cpp
Source/JavaScriptCore/runtime/JSObject.h
Source/JavaScriptCore/runtime/JSType.h