Bug 202599

Looks like this broke API tests. Can you look into it?

Created attachment 387394 [details] Patch Fix API tests and add ASSERTs.

Comment on attachment 387394 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=387394&action=review Nice. But I think this patch is not covering DFG and FTL e.g. operationCreatePromise in DFGOperations invoked by DFG::CreatePromise. 1. Add DFG / FTL handlings. 2. Can you clarify why JSGenerator / JSAsyncGenerator etc. are OK? 3. Why are Wasm constructors OK? 4. Why are Intl constructors OK? > Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:292 > } InternalFunction::createSubclassStructure is used for `slow_path_create_generator`, `slow_path_create_async_generator` etc. Why are they OK? Can you add clarification in ChangeLog?

Created attachment 396291 [details] Patch Cover operationCreatePromise (+ add test), WASM & Intl constructors, fix .prototype realm.

I think CreateGenerator / CreateAsyncGenerator need to be supported too, is it correct? Can you grep InternalFunction::createSubclassStructure to ensure that all the cases are supported?

(In reply to Yusuke Suzuki from comment #18) > 1. Add DFG / FTL handlings. Done (with a test). > 2. Can you clarify why JSGenerator / JSAsyncGenerator etc. are OK? > InternalFunction::createSubclassStructure is used for `slow_path_create_generator`, `slow_path_create_async_generator` etc. Why are they OK? Done, please see ChangeLog. > 3. Why are Wasm constructors OK? > 4. Why are Intl constructors OK? I was planning to cover those in a follow-up patch to simplify review process, but it seems like it would be better to fix all existing InternalFunction::createSubclassStructure() call sites with a single change. 5 of 8 WASM constructors are currently subclassable, all of them are fixed by updated patch. The remaining 3 would require a follow-up patch that adds InternalFunction::createSubclassStructure() with regard to correct realm. Tests for all WASM constructors are coming in https://github.com/web-platform-tests/wpt/pull/22833. Those tests depend on "wasm-module-builder.js" harness which seems to be broken/outdated in WebKit trunk.

(In reply to Yusuke Suzuki from comment #20) > I think CreateGenerator / CreateAsyncGenerator need to be supported too, is > it correct? They use active function's (GeneratorFunctionConstructor / AsyncGeneratorFunctionConstructor) realm according to steps 23-24 of https://tc39.es/ecma262/#sec-createdynamicfunction. > Can you grep InternalFunction::createSubclassStructure to ensure that all > the cases are supported? We support all cases in Source/JavaScriptCore except for generators and internal promises. DOM constructors were fixed in https://trac.webkit.org/r256716, HTML custom elements upgrades are also correct.

Comment on attachment 396291 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396291&action=review > Source/JavaScriptCore/dfg/DFGOperations.cpp:396 > + JSValue newTarget = callFrame->newTarget(); This is not correct. CallFrame is per-DFG-CodeBlock. So if your inlined function has different realm to the root DFG CodeBlock, this returns wrong result. And if the root CodeBlock is not constructor call, accessing newTarget is not OK. I think that this modification is not necessary: globalObject is pointing proper lexical global object to `op_create_promise` bytecode. Can you ensure this?

Comment on attachment 396291 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396291&action=review >> Source/JavaScriptCore/dfg/DFGOperations.cpp:396 >> + JSValue newTarget = callFrame->newTarget(); > > This is not correct. CallFrame is per-DFG-CodeBlock. So if your inlined function has different realm to the root DFG CodeBlock, this returns wrong result. And if the root CodeBlock is not constructor call, accessing newTarget is not OK. > I think that this modification is not necessary: globalObject is pointing proper lexical global object to `op_create_promise` bytecode. > Can you ensure this? Ah, maybe, some modification is required, but you cannot use `CallFrame::newTarget` here. I think you need to pass newTarget value to CreatePromise DFG node, and you need to modify DFG / FTL code too. Is my understanding correct?

(In reply to Yusuke Suzuki from comment #24) > Ah, maybe, some modification is required, but you cannot use > `CallFrame::newTarget` here. I think you need to pass newTarget value to > CreatePromise DFG node, and you need to modify DFG / FTL code too. Is my > understanding correct? Yes, the stress test this change is adding was failing before DFGOperations.cpp modification. NewTarget from another realm for Promise is an extremely rare case, maybe we should just fall back to slow path in compileCreatePromise()?

Created attachment 396323 [details] Patch Drop CallFrame::newTarget() usage in DFG operation.

Comment on attachment 396323 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396323&action=review > Source/JavaScriptCore/dfg/DFGOperations.cpp:397 > + Structure* baseStructure = constructor->globalObject(vm)->promiseStructure(); > + Structure* structure = InternalFunction::createSubclassStructure(globalObject, globalObject->promiseConstructor(), constructor, baseStructure); Oh, yeah, looks correct!

Created attachment 396653 [details] Patch Rebase patch on updated test262/expectations.yaml.

Created attachment 396784 [details] Patch Introduce getFunctionRealm().

*** Bug 205669 has been marked as a duplicate of this bug. ***

Comment on attachment 396784 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=396784&action=review r=me > Source/JavaScriptCore/runtime/InternalFunction.cpp:157 > + if (auto* boundFunction = jsDynamicCast<JSBoundFunction*>(vm, object)) Use `inherit<JSBoundFunction>` instead of jsDynamicCast. jsDynamicCast uses `LIKELY()` internally, which means that we are saying that this is likely a JSBoundFunction. But it is not. > Source/JavaScriptCore/runtime/InternalFunction.cpp:160 > + if (auto* proxy = jsDynamicCast<ProxyObject*>(vm, object)) { Ditto.

Created attachment 397617 [details] Patch Drop jsDynamicCast, handle Intl.RelativeTimeFormat and mark more tests as passing.

(In reply to Yusuke Suzuki from comment #31) > Use `inherit<JSBoundFunction>` instead of jsDynamicCast. jsDynamicCast uses > `LIKELY()` internally, which means that we are saying that this is likely a > JSBoundFunction. But it is not. Thank you for taking time to review this: it is quite massive. I've used type() == ProxyObjectType as it seems like a common way and feels a bit faster.

Committed r260732: <https://trac.webkit.org/changeset/260732> All reviewed patches have been landed. Closing bug and clearing flags on attachment 397617 [details].

<rdar://problem/62408975>