Bug 208337

Summary: Fix semantic bugs in put inline caching
Product: WebKit Reporter: Justin Michaud <justin_michaud>
Component: JavaScriptCoreAssignee: Justin Michaud <justin_michaud>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal    
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 208261    
Bug Blocks:    

Description Justin Michaud 2020-02-27 13:32:11 PST 
Put inline caching is semantically incorrect in some cases with poly proto. See https://bugs.webkit.org/show_bug.cgi?id=208261. 
We sometimes continue to cache a setter, even though it has changed the prototype chain. Additional cases to consider are puts 
involving prototype chains that have static property accessors. This is exposed as a result of 206430 since DefineOwnProperty 
used to transition to uncacheable dictionary.

        A - setter for x defines a new setter for x on B
        |
        B
        |
        C

        We set (new C).x

        We first call the setter, then try to figure out what the state of things
        were before it was called. We see that A's setter still exists, so we cache it
        without ever checking that B has a setter now too.

        In the code, A = target, C = base.

Get is correct because it collects caching information before any calls.
Comment 1 Justin Michaud 2024-04-08 13:37:16 PDT 
Closing old bugs assigned to me
Comment 2 Justin Michaud 2024-04-08 13:37:36 PDT 
Closing old bugs assigned to me