Bug 215769

Summary: __proto__ in object literal should perform [[SetPrototypeOf]] directly
Product: WebKit Reporter: Alexey Shvayka <ashvayka>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: RESOLVED FIXED    
Severity: Trivial CC: ews-watchlist, keith_miller, mark.lam, msaboff, ross.kirsling, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar, WebExposed
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
See Also: https://bugs.webkit.org/show_bug.cgi?id=215760
Bug Depends on: 142382    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch none

Alexey Shvayka
Reported 2020-08-24 08:17:35 PDT
Test case: `delete Object.prototype.__proto__; Object.getPrototypeOf({__proto__: null})` Expected: `null` Actual: `Object.prototype` ECMA-262: https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers (step 7.a.i)
Attachments
Patch (40.44 KB, patch)
2020-08-25 15:49 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (39.50 KB, patch)
2020-08-26 18:46 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2020-08-25 15:49:44 PDT
Created attachment 407244 [details] Patch
Alexey Shvayka
Comment 2 2020-08-25 15:50:16 PDT
(In reply to Alexey Shvayka from comment #1) > Created attachment 407244 [details] > Patch Warmed-up runs, --outer 50: r265669 patch object-literal-underscore-proto-setter 96.5690+-0.8588 ^ 77.5015+-0.3901 ^ definitely 1.2460x faster
Ross Kirsling
Comment 3 2020-08-25 17:23:30 PDT
Comment on attachment 407244 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407244&action=review Seems good overall, but is there a test262 case? > Source/JavaScriptCore/ChangeLog:19 > + Tweaks globalFuncSetPrototypeDirect() to ignore a prototype value of incorrect type, > + which is unobservable for its usages in ClassExprNode::emitBytecode(). Also, removes unused Does this tweak help with an existing case or is it just removing a restriction that no longer matters? > Source/JavaScriptCore/parser/Nodes.h:769 > - class PropertyListNode final : public ExpressionNode { > + class PropertyListNode final : public ExpressionNode, public ThrowableExpressionData { Is this demanded by the emitPutConstantProperty change somehow?
Alexey Shvayka
Comment 4 2020-08-26 03:59:32 PDT
(In reply to Ross Kirsling from comment #3) > Seems good overall, but is there a test262 case? Thank you for taking a look! I am adding the test in https://github.com/tc39/test262/pull/2747, yet the patch is fully covered by LayoutTests/js/script-tests/object-literal-direct-put.js update (ToT fails it). > Does this tweak help with an existing case or is it just removing a restriction that no longer matters? It is necessary for this change, as it implements the type check at step 7.a of https://tc39.es/ecma262/#sec-__proto__-property-names-in-object-initializers. I will make sure to clarify the ChangeLog, "tweak" is rather misleading. > Is this demanded by the emitPutConstantProperty change somehow? Yes, it is required to get divot*(), which is needed for OpCall in emitDirectSetPrototypeOf(), even though it never throws.
Ross Kirsling
Comment 5 2020-08-26 14:36:27 PDT
Comment on attachment 407244 [details] Patch Cool, r=me given those points of clarification.
Alexey Shvayka
Comment 6 2020-08-26 18:46:23 PDT
Created attachment 407365 [details] Patch Clarify ChangeLog, assert that globalFuncSetPrototypeDirect() doesn't throw, and don't extend ThrowableExpressionData.
EWS
Comment 7 2020-08-27 17:27:26 PDT
Committed r266264: <https://trac.webkit.org/changeset/266264> All reviewed patches have been landed. Closing bug and clearing flags on attachment 407365 [details].
Radar WebKit Bug Importer
Comment 8 2020-08-27 17:28:16 PDT
<rdar://problem/67907341>
Note You need to log in before you can comment on or make changes to this bug.