Bug 159226

Summary:

get_by_id_with_this does not trigger a to_this in caller.

Product:

WebKit

Reporter:

Keith Miller <keith_miller>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, mark.lam, msaboff, saam

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
bad test case.	none
patch	none
patch	keith_miller: review+

Description Keith Miller 2016-06-28 13:59:01 PDT

Created attachment 282281 [details]
bad test case.

run the attached test and it will throw an exception, which it should not.

Comment 1 Saam Barati 2016-06-30 12:33:39 PDT

Created attachment 282456 [details]
patch

Comment 2 Keith Miller 2016-06-30 12:35:37 PDT

Comment on attachment 282456 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=282456&action=review

> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:554
> +            } else if (functionNode->usesThis() || codeBlock->usesEval() || isThisUsedInInnerArrowFunction() || functionNode->usesSuperProperty()) {

Can you tell if we are inside an object literal vs a class? If so, maybe we should only emit the to_this if we are in an object literal. Otherwise file a bug?

Comment 3 Keith Miller 2016-06-30 12:36:32 PDT

Comment on attachment 282456 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=282456&action=review

>> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:554
>> +            } else if (functionNode->usesThis() || codeBlock->usesEval() || isThisUsedInInnerArrowFunction() || functionNode->usesSuperProperty()) {
> 
> Can you tell if we are inside an object literal vs a class? If so, maybe we should only emit the to_this if we are in an object literal. Otherwise file a bug?

Or even better, only do it if the code is strict.

Comment 4 Keith Miller 2016-06-30 12:36:48 PDT

non-strict*

Comment 5 Saam Barati 2016-06-30 12:39:06 PDT

(In reply to comment #4)
> non-strict*

I lied about the only case that matters is non-strict to
strict. Both directions matter. Whenever strictness of callee
vs caller are different, there will be user observable effects.

Comment 6 Saam Barati 2016-06-30 12:39:24 PDT

(In reply to comment #5)
> (In reply to comment #4)
> > non-strict*
> 
> I lied about the only case that matters is non-strict to
> strict. Both directions matter. Whenever strictness of callee
> vs caller are different, there will be user observable effects.

I'll add a test for this.

Comment 7 Saam Barati 2016-06-30 12:54:05 PDT

(In reply to comment #2)
> Comment on attachment 282456 [details]
> patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=282456&action=review
> 
> > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:554
> > +            } else if (functionNode->usesThis() || codeBlock->usesEval() || isThisUsedInInnerArrowFunction() || functionNode->usesSuperProperty()) {
> 
> Can you tell if we are inside an object literal vs a class? If so, maybe we
> should only emit the to_this if we are in an object literal. Otherwise file
> a bug?

After thinking about it more, I don't think this is sound.
You don't know if you're definitely calling a strict method,
even if you're in a class because you can muck with the super
class' prototype after it's been constructed. I'll verify
that this is correct by adding a test.

Comment 8 Saam Barati 2016-06-30 13:53:03 PDT

(In reply to comment #5)
> (In reply to comment #4)
> > non-strict*
> 
> I lied about the only case that matters is non-strict to
> strict. Both directions matter. Whenever strictness of callee
> vs caller are different, there will be user observable effects.

Actually, I think I'm wrong. We only care if the caller is not-strict.
If the caller is strict, and callee is not strict, we don't need to
to_this for a super property access.

Comment 9 Saam Barati 2016-06-30 13:55:07 PDT

(In reply to comment #7)
> (In reply to comment #2)
> > Comment on attachment 282456 [details]
> > patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=282456&action=review
> > 
> > > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:554
> > > +            } else if (functionNode->usesThis() || codeBlock->usesEval() || isThisUsedInInnerArrowFunction() || functionNode->usesSuperProperty()) {
> > 
> > Can you tell if we are inside an object literal vs a class? If so, maybe we
> > should only emit the to_this if we are in an object literal. Otherwise file
> > a bug?
> 
> After thinking about it more, I don't think this is sound.
> You don't know if you're definitely calling a strict method,
> even if you're in a class because you can muck with the super
> class' prototype after it's been constructed. I'll verify
> that this is correct by adding a test.

This is sound, given my previous comment that strict to not-strict
doesn't need to to_this for super property access.

Comment 10 Saam Barati 2016-06-30 14:52:00 PDT

Created attachment 282472 [details]
patch

Comment 11 WebKit Commit Bot 2016-06-30 14:54:27 PDT

Attachment 282472 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:554:  One line control clauses should not use braces.  [whitespace/braces] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 12 Keith Miller 2016-06-30 14:59:00 PDT

Comment on attachment 282472 [details]
patch

r=me

Comment 13 Keith Miller 2016-06-30 15:00:20 PDT

Comment on attachment 282472 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=282472&action=review

> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:552
>              } else if (constructorKind() != ConstructorKind::None) {

You should get rid of these braces though.

Comment 14 Saam Barati 2016-06-30 15:07:27 PDT

landed in:
http://trac.webkit.org/changeset/202710