| Summary: | [JSC] JSPropertyNameEnumerator should not have cached prototype chain since empty JSPropertyNameEnumerator is shared | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> | ||||||||||||||
| Component: | New Bugs | Assignee: | Yusuke Suzuki <ysuzuki> | ||||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||||
| Severity: | Normal | CC: | c.jaentsch, eduard.comanici, ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer | ||||||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||||||
| Version: | WebKit Nightly Build | ||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||
| OS: | Unspecified | ||||||||||||||||
| Bug Depends on: | |||||||||||||||||
| Bug Blocks: | 231419 | ||||||||||||||||
| Attachments: |
|
||||||||||||||||
|
Description
Yusuke Suzuki
2021-10-04 17:58:14 PDT
Created attachment 440132 [details]
Patch
WIP
Created attachment 440140 [details]
Patch
WIP
Created attachment 440141 [details]
Patch
WIP
Created attachment 440142 [details]
Patch
WIP
Created attachment 440145 [details]
Patch
Created attachment 440147 [details]
Patch
Comment on attachment 440147 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440147&action=review r=me with some nits > Source/JavaScriptCore/ChangeLog:11 > + invariant was broken since we now have shared empty JSPropertyNameEnumerator, which can Nit: shared empty => shared empty sentinel. Might be a bit clearer. > Source/JavaScriptCore/ChangeLog:27 > + While reviewing the code, we also found that watchpoint-based validation didn't care PolyProto. Nit: care => care about? > Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:107 > + // JSPropertyNameEnumerator is immutable data structure, which allows VM to cache empty one. Typo: cache empty one => cache the empty one. > Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:131 > + if (!(enumeratorAndFlag & StructureRareData::cachedPropertyNameEnumeratorIsValidatedViaTraversingFlag)) Nit: Maybe use OptionSet I personally prefer that but we use this idiom everywhere so idc too much. Comment on attachment 440147 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=440147&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:11 >> + invariant was broken since we now have shared empty JSPropertyNameEnumerator, which can > > Nit: shared empty => shared empty sentinel. Might be a bit clearer. Fixed. >> Source/JavaScriptCore/ChangeLog:27 >> + While reviewing the code, we also found that watchpoint-based validation didn't care PolyProto. > > Nit: care => care about? Fixed. >> Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:107 >> + // JSPropertyNameEnumerator is immutable data structure, which allows VM to cache empty one. > > Typo: cache empty one => cache the empty one. Fixed. >> Source/JavaScriptCore/runtime/JSPropertyNameEnumerator.h:131 >> + if (!(enumeratorAndFlag & StructureRareData::cachedPropertyNameEnumeratorIsValidatedViaTraversingFlag)) > > Nit: Maybe use OptionSet I personally prefer that but we use this idiom everywhere so idc too much. Because this is uintptr_t including enumerator pointer itself, we cannot use OptionSet. Committed r283556 (242521@main): <https://commits.webkit.org/242521@main> *** Bug 231419 has been marked as a duplicate of this bug. *** *** Bug 231572 has been marked as a duplicate of this bug. *** |