Bug 208337
| Summary: | Fix semantic bugs in put inline caching | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Justin Michaud <justin_michaud> |
| Component: | JavaScriptCore | Assignee: | Justin Michaud <justin_michaud> |
| Status: | RESOLVED CONFIGURATION CHANGED | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Bug Depends on: | 208261 | ||
| Bug Blocks: | |||
Justin Michaud
Put inline caching is semantically incorrect in some cases with poly proto. See https://bugs.webkit.org/show_bug.cgi?id=208261.
We sometimes continue to cache a setter, even though it has changed the prototype chain. Additional cases to consider are puts
involving prototype chains that have static property accessors. This is exposed as a result of 206430 since DefineOwnProperty
used to transition to uncacheable dictionary.
A - setter for x defines a new setter for x on B
|
B
|
C
We set (new C).x
We first call the setter, then try to figure out what the state of things
were before it was called. We see that A's setter still exists, so we cache it
without ever checking that B has a setter now too.
In the code, A = target, C = base.
Get is correct because it collects caching information before any calls.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Justin Michaud
Closing old bugs assigned to me
Justin Michaud
Closing old bugs assigned to me