Bug 225397

Summary: [JSC] Don't use JSScope instances as `this` value when calling functions
Product: WebKit Reporter: Alexey Shvayka <ashvayka>
Component: JavaScriptCoreAssignee: Alexey Shvayka <ashvayka>
Status: REOPENED    
Severity: Normal CC: ahmad.saleem792, alecflett, annulen, ap, beidson, bfulgham, calvaris, cdumez, changseok, commit-queue, com.webkit.iidmsa, eric.carlson, esprehn+autocc, ews-watchlist, fpizlo, glenn, gyuyoung.kim, hi, jer.noble, joepeck, jsbell, keith_miller, kondapallykalyan, mark.lam, msaboff, philipj, rniwa, ryuan.choi, saam, sergio, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on: 276788, 281214    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch
none
Patch
ews-feeder: commit-queue-
Patch
none
Patch
ews-feeder: commit-queue-
Patch fpizlo: review+

Alexey Shvayka
Reported 2021-05-05 10:19:32 PDT
[JSC] Abolish using resolved scope as |this| value when calling functions
Attachments
Patch (116.73 KB, patch)
2021-05-05 10:24 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (117.02 KB, patch)
2021-05-05 11:29 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (131.56 KB, patch)
2021-05-05 20:00 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (137.12 KB, patch)
2021-05-24 11:38 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (143.35 KB, patch)
2021-05-24 21:42 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (144.66 KB, patch)
2021-05-27 05:07 PDT, Alexey Shvayka 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (156.95 KB, patch)
2021-05-27 06:11 PDT, Alexey Shvayka 		no flags
DetailsFormatted DiffDiff
Patch (164.50 KB, patch)
2021-05-27 23:10 PDT, Alexey Shvayka 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (164.71 KB, patch)
2021-05-27 23:45 PDT, Alexey Shvayka 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.
Alexey Shvayka
Comment 1 2021-05-05 10:24:04 PDT
Created attachment 427777 [details] Patch
Alexey Shvayka
Comment 2 2021-05-05 11:29:48 PDT
Created attachment 427784 [details] Patch Add missing prediction for GetThisValueForCall and call operationToObject with JSValueRegs.
Alexey Shvayka
Comment 3 2021-05-05 20:00:21 PDT
Created attachment 427844 [details] Patch Call getters / setters with JSProxy as |this| value, fix SpeculativeJIT::compileGetThisValueForCall(), fix EvalFunctionCallNode, fix 32-bit builds, remove JSObject::isEnvironment().
Radar WebKit Bug Importer
Comment 4 2021-05-12 10:20:22 PDT
<rdar://problem/77915872>
Alexey Shvayka
Comment 5 2021-05-24 11:38:03 PDT
Created attachment 429549 [details] Patch Remove loadVariable() from 32-bit to_this LLInt op to fix segfaults, rebase on top of r277830, and adjust some LayoutTests.
Alexey Shvayka
Comment 6 2021-05-24 21:42:45 PDT
Created attachment 429630 [details] Patch Remove incorrect exception check after toGlobalThis(), fix JSErrorHandler to pass JSProxy as |this| value, and adjust more LayoutTests.
Alexey Shvayka
Comment 7 2021-05-27 05:07:08 PDT
Created attachment 429869 [details] Patch Adjust flaky test, tweak JS API avoid any behavior change (+ add coverage), and fix multiple cases of WebCore using raw GlobalObject as |this| value for [[Call]] (+ add ASSERTs for that).
Alexey Shvayka
Comment 8 2021-05-27 06:11:37 PDT
Created attachment 429873 [details] Patch Fix build and rename JSScope::receiverForScope() to JSObject::toPublicThisValue().
Alexey Shvayka
Comment 9 2021-05-27 23:10:20 PDT
Created attachment 429991 [details] Patch Test [PutForwards] WebIDL attribute on global interface, turn JSObject::toPublicThisValue() into a function to fix --debug buil, and utilize it to fix plugins & SparseArrayEntry::put() (+ improve coverage).
Alexey Shvayka
Comment 10 2021-05-27 23:45:53 PDT
Created attachment 429993 [details] Patch Rebase patch and use std::nullopt to fix the build.
Filip Pizlo
Comment 11 2021-06-10 11:08:40 PDT
Comment on attachment 429993 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=429993&action=review > Source/JavaScriptCore/ChangeLog:8 > + Reviewed by NOBODY (OOPS!). > + > + * API/APICallbackFunction.h: Can you write some stuff about what you did? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13497 > + addSlowPathGenerator(slowPathCall(slowCases, this, operationToObject, valueGPR, TrustedImmPtr::weakPointer(m_graph, globalObject), valueRegs, TrustedImmPtr(nullptr))); What are some example programs where the slow path would be taken? > Source/JavaScriptCore/jit/JITOpcodes.cpp:2097 > +void JIT::emit_op_get_this_value_for_call(const Instruction* currentInstruction) > +{ > + auto bytecode = currentInstruction->as<OpGetThisValueForCall>(); > +#if USE(JSVALUE64) > + JSValueRegs valueRegs(regT0); > +#else > + JSValueRegs valueRegs(regT1, regT0); > +#endif > + emitGetVirtualRegister(bytecode.m_scope, valueRegs); > + > + Jump isWithScope = branchIfNotType(valueRegs.payloadGPR(), JSTypeRange { FirstJSScopeType, LastJSScopeType }); > + moveTrustedValue(jsUndefined(), valueRegs); > + isWithScope.link(this); > + > + emitPutVirtualRegister(bytecode.m_dst, valueRegs); > +} I really like this.
Alexey Shvayka
Comment 12 2021-06-10 11:40:48 PDT
(In reply to Filip Pizlo from comment #11) > Comment on attachment 429993 [details] > Patch Thank you for reviewing so quickly, Filip! And sorry for missing ChangeLog. > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13497 > > + addSlowPathGenerator(slowPathCall(slowCases, this, operationToObject, valueGPR, TrustedImmPtr::weakPointer(m_graph, globalObject), valueRegs, TrustedImmPtr(nullptr))); > > What are some example programs where the slow path would be taken? Sloppy mode functions called with |this| value of a primitive string/number/boolean/bigint, which requires allocation: `(function() { return this; }.call(42);`.
Ahmad Saleem
Comment 13 2022-09-03 06:22:59 PDT
I checked and it seems this r+ patch didn't landed yet and also this FIXME is still present: https://github.com/WebKit/WebKit/blob/6bb75cf119f4cf3c077ec234af476fb575b28509/Source/WebCore/bindings/js/JSDOMOperation.h#L38 Is something pending or this is no longer required? Thanks!
Alexey Shvayka
Comment 14 2024-07-31 19:18:05 PDT
Pull request: https://github.com/WebKit/WebKit/pull/31572
EWS
Comment 15 2024-10-09 15:26:47 PDT
Committed 284931@main (ee167b8fe4fd): <https://commits.webkit.org/284931@main> Reviewed commits have been landed. Closing PR #31572 and removing active labels.
Fujii Hironori
Comment 16 2024-10-09 18:39:58 PDT
Re-opening for pull request https://github.com/WebKit/WebKit/pull/34946
EWS
Comment 18 2024-10-09 18:42:28 PDT
Test gardening commit 284940@main (b692c5aeee32): <https://commits.webkit.org/284940@main> Reviewed commits have been landed. Closing PR #34946 and removing active labels.
WebKit Commit Bot
Comment 19 2024-10-10 03:35:17 PDT
Re-opened since this is blocked by bug 281214
Fady Farag
Comment 20 2024-10-10 06:36:34 PDT
*** Bug 281193 has been marked as a duplicate of this bug. ***
Alexey Shvayka
Comment 21 2024-10-21 10:48:53 PDT
Pull request: https://github.com/WebKit/WebKit/pull/35527
Note You need to log in before you can comment on or make changes to this bug.