Our for-in caching is wrong when we add indexed properties on things in the prototype...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jan 2018 08:16:06 +0000 (08:16 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 11 Jan 2018 08:16:06 +0000 (08:16 +0000)
commit02be04e6a2d92ee5deb3c9036a8433a68abeb996
treeebc7493c491b4df430e22183039face4e4dfb88c
parent0e5cd00a9868dc5dd02f807974463b2899539a67
Our for-in caching is wrong when we add indexed properties on things in the prototype chain
https://bugs.webkit.org/show_bug.cgi?id=181508

Reviewed by Yusuke Suzuki.

JSTests:

* stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js: Added.
(assert):
(test1.foo):
(test1):
(test2.foo):
(test2):

Source/JavaScriptCore:

Our for-in caching would cache structure chains that had prototypes with
indexed properties. Clearly this is wrong. This caching breaks when a prototype
adds new indexed properties. We would continue to enumerate the old cached
state of properties, and not include the new indexed properties.

The old code used to prevent caching only if the base structure had
indexed properties. This patch extends it to prevent caching if the
base, or any structure in the prototype chain, has indexed properties.

* runtime/Structure.cpp:
(JSC::Structure::canCachePropertyNameEnumerator const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226767 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/for-in-prototype-with-indexed-properties-should-prevent-caching.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Structure.cpp