Bug 132695

Summary: Base case for get-by-id inline cache doesn't check for HasImpureGetOwnPropertySlot
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, tobias.netzel
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Mark Hahnenberg
Reported 2014-05-08 11:49:42 PDT
We check in the case where we're accessing something other than the base object, but we fail to do so for the base object.
Attachments
Patch (2.06 KB, patch)
2014-05-08 14:22 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (8.60 KB, patch)
2014-05-08 16:45 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2014-05-08 14:22:04 PDT
Created attachment 231100 [details] Patch
Filip Pizlo
Comment 2 2014-05-08 14:23:07 PDT
Comment on attachment 231100 [details] Patch Can has test?
Mark Hahnenberg
Comment 3 2014-05-08 16:45:28 PDT
Created attachment 231112 [details] Patch
Mark Hahnenberg
Comment 4 2014-05-08 16:47:16 PDT
(In reply to comment #3) > Created an attachment (id=231112) [details] > Patch Re-uploaded because test.
WebKit Commit Bot
Comment 5 2014-05-08 17:23:06 PDT
Comment on attachment 231112 [details] Patch Clearing flags on attachment: 231112 Committed r168510: <http://trac.webkit.org/changeset/168510>
WebKit Commit Bot
Comment 6 2014-05-08 17:23:08 PDT
All reviewed patches have been landed. Closing bug.
Tobias Netzel
Comment 7 2014-10-25 09:53:15 PDT
I'm seeing a fail in the test added here when running with CLoop interpreter only. The check for HasImpureGetOwnPropertySlot that was added here seems to be missing in slow_path_get_by_id() in LLIntSlowPaths.cpp . I experimentally added an equivalent check there and this test now passes. In case a fix is needed please give feedback whether you'll fix it yourself or if I should open a new bug and post a patch. As I'm maintaining my own fork of WebKit that's always somewhat outdated, currently at 600.1.25, posting a patch against the trunk would be difficult for me - so I guess you'd want to fix it yourself. In fact I the exisiting check for "!structure->typeInfo().newImpurePropertyFiresWatchpoints()" seems to be wrong to me and I replaced it with "!(structure->typeInfo().hasImpureGetOwnPropertySlot() && !structure->typeInfo().newImpurePropertyFiresWatchpoints())", as this is what is checked for in the JIT compiler. But I have no idea whether this is correct.
Note You need to log in before you can comment on or make changes to this bug.