RESOLVED FIXED 159398
[test262] Fixing mapped arguments object property test case
https://bugs.webkit.org/show_bug.cgi?id=159398
Summary [test262] Fixing mapped arguments object property test case
Attachments
Patch (1.91 KB, patch)
2016-07-04 20:04 PDT, Caio Lima
no flags
Archive of layout-test-results from ews103 for mac-yosemite (812.13 KB, application/zip)
2016-07-04 20:51 PDT, Build Bot
no flags
Archive of layout-test-results from ews104 for mac-yosemite-wk2 (781.22 KB, application/zip)
2016-07-04 20:55 PDT, Build Bot
no flags
Archive of layout-test-results from ews114 for mac-yosemite (1.41 MB, application/zip)
2016-07-04 21:01 PDT, Build Bot
no flags
Archive of layout-test-results from ews126 for ios-simulator-wk2 (626.91 KB, application/zip)
2016-07-04 21:02 PDT, Build Bot
no flags
Patch (3.56 KB, patch)
2016-07-10 02:20 PDT, Caio Lima
no flags
Patch (37.58 KB, patch)
2016-07-13 02:49 PDT, Caio Lima
no flags
Archive of layout-test-results from ews101 for mac-yosemite (930.03 KB, application/zip)
2016-07-13 03:37 PDT, Build Bot
no flags
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (952.25 KB, application/zip)
2016-07-13 03:39 PDT, Build Bot
no flags
Archive of layout-test-results from ews122 for ios-simulator-wk2 (632.84 KB, application/zip)
2016-07-13 03:58 PDT, Build Bot
no flags
Patch (37.66 KB, patch)
2016-07-15 00:02 PDT, Caio Lima
no flags
Patch (9.01 KB, patch)
2016-07-15 09:48 PDT, Caio Lima
no flags
Patch (11.71 KB, patch)
2016-07-31 21:35 PDT, Caio Lima
no flags
Archive of layout-test-results from ews105 for mac-yosemite-wk2 (871.79 KB, application/zip)
2016-07-31 22:18 PDT, Build Bot
no flags
Archive of layout-test-results from ews100 for mac-yosemite (798.77 KB, application/zip)
2016-07-31 22:23 PDT, Build Bot
no flags
Archive of layout-test-results from ews117 for mac-yosemite (1.43 MB, application/zip)
2016-07-31 22:32 PDT, Build Bot
no flags
Archive of layout-test-results from ews126 for ios-simulator-wk2 (655.84 KB, application/zip)
2016-07-31 22:33 PDT, Build Bot
no flags
Patch (11.74 KB, patch)
2016-07-31 22:43 PDT, Caio Lima
no flags
WIP Fixing arguments aliasing (21.77 KB, patch)
2016-09-27 09:28 PDT, Caio Lima
buildbot: commit-queue-
Archive of layout-test-results from ews113 for mac-yosemite (1.12 MB, application/zip)
2016-09-27 10:34 PDT, Build Bot
no flags
Archive of layout-test-results from ews103 for mac-yosemite (1.34 MB, application/zip)
2016-09-27 10:37 PDT, Build Bot
no flags
Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2 (897.48 KB, application/zip)
2016-09-27 10:46 PDT, Build Bot
no flags
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (1.21 MB, application/zip)
2016-09-27 10:53 PDT, Build Bot
no flags
Patch for landing (23.54 KB, patch)
2016-09-29 22:33 PDT, Caio Lima
buildbot: commit-queue-
Archive of layout-test-results from ews115 for mac-yosemite (1.14 MB, application/zip)
2016-09-29 23:41 PDT, Build Bot
no flags
Archive of layout-test-results from ews103 for mac-yosemite (1.23 MB, application/zip)
2016-09-29 23:44 PDT, Build Bot
no flags
Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2 (896.35 KB, application/zip)
2016-09-29 23:51 PDT, Build Bot
no flags
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (1.58 MB, application/zip)
2016-09-30 04:37 PDT, Build Bot
no flags
Patch for landing (22.96 KB, patch)
2016-09-30 09:54 PDT, Caio Lima
buildbot: commit-queue-
Archive of layout-test-results from ews113 for mac-yosemite (1.88 MB, application/zip)
2016-09-30 11:03 PDT, Build Bot
no flags
Patch (23.44 KB, patch)
2016-09-30 23:55 PDT, Caio Lima
no flags
Patch (23.17 KB, patch)
2016-10-04 01:48 PDT, Caio Lima
no flags
Patch (25.69 KB, patch)
2016-10-09 14:38 PDT, Caio Lima
no flags
Patch (31.44 KB, patch)
2016-10-18 01:44 PDT, Caio Lima
no flags
Patch (31.38 KB, patch)
2016-11-06 11:37 PST, Caio Lima
no flags
Patch (48.15 KB, patch)
2016-11-29 15:32 PST, Caio Lima
no flags
Patch (62.34 KB, patch)
2016-12-19 19:14 PST, Caio Lima
no flags
Patch (48.34 KB, patch)
2016-12-20 09:46 PST, Caio Lima
no flags
Patch (48.83 KB, patch)
2016-12-24 12:51 PST, Caio Lima
no flags
Caio Lima
Comment 1 2016-07-04 20:04:57 PDT
Build Bot
Comment 2 2016-07-04 20:51:56 PDT
Comment on attachment 282740 [details] Patch Attachment 282740 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1627648 New failing tests: js/mozilla/strict/10.6.html
Build Bot
Comment 3 2016-07-04 20:51:59 PDT
Created attachment 282742 [details] Archive of layout-test-results from ews103 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 4 2016-07-04 20:54:57 PDT
Comment on attachment 282740 [details] Patch Attachment 282740 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1627651 New failing tests: js/mozilla/strict/10.6.html
Build Bot
Comment 5 2016-07-04 20:55:00 PDT
Created attachment 282743 [details] Archive of layout-test-results from ews104 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 6 2016-07-04 21:00:59 PDT
Comment on attachment 282740 [details] Patch Attachment 282740 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1627652 New failing tests: js/mozilla/strict/10.6.html
Build Bot
Comment 7 2016-07-04 21:01:02 PDT
Created attachment 282744 [details] Archive of layout-test-results from ews114 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews114 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 8 2016-07-04 21:01:58 PDT
Comment on attachment 282740 [details] Patch Attachment 282740 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1627653 New failing tests: js/mozilla/strict/10.6.html
Build Bot
Comment 9 2016-07-04 21:02:01 PDT
Created attachment 282745 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.4
Caio Lima
Comment 10 2016-07-10 02:20:19 PDT
Caio Lima
Comment 11 2016-07-10 13:50:24 PDT
Comment on attachment 283286 [details] Patch Problem not solved.
Benjamin Poulain
Comment 12 2016-07-10 14:52:21 PDT
Can you please also extend the tests to cover what you fix? Every patch should have as much test coverage as possible. Until Keith import test262 into WebKit, we have to write new tests.
Caio Lima
Comment 13 2016-07-10 14:54:17 PDT
(In reply to comment #12) > Can you please also extend the tests to cover what you fix? > > Every patch should have as much test coverage as possible. Until Keith > import test262 into WebKit, we have to write new tests. Sure. I talked to him 1 hour ago about that.
Caio Lima
Comment 14 2016-07-13 02:49:06 PDT
Build Bot
Comment 15 2016-07-13 03:37:08 PDT
Comment on attachment 283499 [details] Patch Attachment 283499 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1673498 New failing tests: js/arguments.html js/mozilla/strict/10.6.html
Build Bot
Comment 16 2016-07-13 03:37:13 PDT
Created attachment 283504 [details] Archive of layout-test-results from ews101 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews101 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 17 2016-07-13 03:39:30 PDT
Comment on attachment 283499 [details] Patch Attachment 283499 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1673502 New failing tests: js/arguments.html js/mozilla/strict/10.6.html
Build Bot
Comment 18 2016-07-13 03:39:35 PDT
Created attachment 283505 [details] Archive of layout-test-results from ews107 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 19 2016-07-13 03:58:36 PDT
Comment on attachment 283499 [details] Patch Attachment 283499 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1673530 New failing tests: js/arguments.html js/function-dot-arguments.html js/mozilla/strict/10.6.html
Build Bot
Comment 20 2016-07-13 03:58:40 PDT
Created attachment 283509 [details] Archive of layout-test-results from ews122 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.5
Caio Lima
Comment 21 2016-07-15 00:02:11 PDT
Csaba Osztrogonác
Comment 22 2016-07-15 06:17:33 PDT
Comment on attachment 283742 [details] Patch https://trac.webkit.org/changeset/203270 added the whole test262, please update your patch accordingly: - remove tests from the patch - update expectations in Source/JavaScriptCore/tests/test262.yaml - don't add test262.yaml to Tools/Scripts/run-javascriptcore-tests, we don't run these tests by default note: with the fix I proposed in bug159810, all test262 tests run as expected set in test262.yaml
Caio Lima
Comment 23 2016-07-15 09:48:33 PDT
Caio Lima
Comment 24 2016-07-26 10:43:42 PDT
(In reply to comment #23) > Created attachment 283766 [details] > Patch ping review
Geoffrey Garen
Comment 25 2016-07-26 11:47:32 PDT
Comment on attachment 283766 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283766&action=review It looks like you've invented a way for the arguments object to override an indexed property by storing a value in its JSObject storage. The arguments object already had a different way to indicate that an indexed property had been overridden: the "overrideArgument" mechanism. Did you consider using the overrideArgument mechanism? What's better about this new mechanism? That's a good thing to explain in your ChangeLog. I suspect that it might be better to use the overrideArgument mechanism, or to augment it for this purpose. > Source/JavaScriptCore/ChangeLog:9 > + mapped arguments object with non-configurable and no-writable property non-writable > Source/JavaScriptCore/ChangeLog:10 > + cases. Also it is fixing cases where arguments[i] cannot be deleted fixes > Source/JavaScriptCore/ChangeLog:11 > + when argument "i" is not configurable. The test cases added are from from the > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:222 > + object->putDirectMayBeIndex(exec, ident, value); > + > + return Base::defineOwnProperty(object, exec, ident, descriptor, shouldThrow); This looks wrong. You're assigning the property twice -- first by putDirectMayBeIndex and second by defineOwnProperty. Also, you don't seem to invoke the "overrideArgument" mechanism, which is what we usually use to indicate that something strange has happened to an indexed property.
Caio Lima
Comment 26 2016-07-26 23:35:05 PDT
Hey Geoffrey, thanks for the review. (In reply to comment #25) > Comment on attachment 283766 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283766&action=review > > It looks like you've invented a way for the arguments object to override an > indexed property by storing a value in its JSObject storage. The arguments > object already had a different way to indicate that an indexed property had > been overridden: the "overrideArgument" mechanism. Did you consider using > the overrideArgument mechanism? What's better about this new mechanism? > That's a good thing to explain in your ChangeLog. > > I suspect that it might be better to use the overrideArgument mechanism, or > to augment it for this purpose. Actually I think arguments mapping quite confusing. I didn't see a way to use the current overrideArgument, because what I want is avoid the override in some cases. Check the following test262 test case https://raw.githubusercontent.com/tc39/test262/master/test/language/arguments-object/mapped/mapped-arguments-nonconfigurable-nonwritable-3.js The point is that before "Object.defineProperty(arguments, "0", {writable: false});" the arguments object is still aliased. It changed in ES6 comparing to ES5 (check the bug in specification https://bugs.ecmascript.org/show_bug.cgi?id=4371). In our current implementation, the arguments alias is overwritten even if writable isn't present. This way, I added comparison to check if writable is not present and if it isn't, don't override this property (which makes sense, since default writable is false). Also, I added a check in deletePropertyByIndex if non-configurable, because if it is "delete"shall throw an error in strict mode or false in non-strict mode. > > Source/JavaScriptCore/ChangeLog:9 > > + mapped arguments object with non-configurable and no-writable property > > non-writable > > > Source/JavaScriptCore/ChangeLog:10 > > + cases. Also it is fixing cases where arguments[i] cannot be deleted > > fixes > > > Source/JavaScriptCore/ChangeLog:11 > > + when argument "i" is not configurable. The test cases added are from > > from the > > > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:222 > > + object->putDirectMayBeIndex(exec, ident, value); > > + > > + return Base::defineOwnProperty(object, exec, ident, descriptor, shouldThrow); > > This looks wrong. You're assigning the property twice -- first by > putDirectMayBeIndex and second by defineOwnProperty. I agree with you that it looks ugly, however it happens without my Patch too. Check the return line of GenericArguments<Type>::defineOwnProperty and it calls defineOwnProperty after object->putDirectMayBeIndex(exec, ident, value). I need do this because of 2 reasons: 1. I need to update the property descriptor, mainly because it is used in GenericArguments<Type>::deletePropertyBy(Index/Id). As the descriptor maybe contains a new property, It is safe use defineOwnProperty IMHO; 2. If I don't set object->putDirectMayBeIndex(exec, ident, value) before defineOwnProperty it throws an error because of: ``` // 10.a.ii. If the [[Writable]] field of current is false, then // 10.a.ii.1. Reject, if the [[Value]] field of Desc is present and SameValue(Desc.[[Value]], current.[[Value]]) is false. if (descriptor.value() && !sameValue(exec, descriptor.value(), current.value())) ``` Is these things clear to you? Sorry for the confusion and miss explaining.
Geoffrey Garen
Comment 27 2016-07-27 13:36:45 PDT
Comment on attachment 283766 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=283766&action=review I think I understand the logic here now: It used to be that a property either aliased *or* lived in JSObject property storage with attributes. You're adding a new feature that allows a property to alias *and* live in JSObject property storage with attributes. In this state, somewhat confusingly, the value stored in JSObject property storage can be bogus because it is not observed. You should explain this in your ChangeLog. I think you missed a case where the new property descriptor is not an accessor, is writable, and is DontDelete. In that case, your code will return early without setting the DontDelete attribute. Is that right? Can you simplify the logic and duplicated code in GenericArguments<Type>::defineOwnProperty? The relevant cases inside canAccessIndexQuickly, as I understand them, are: (1) If the property is not an accessor and has either no attributes or only the writable:true attribute, set the value and return. Otherwise: (2) getIndexQuickly and putDirectMayBeIndex. (3) If the property has any attributes other than configurable:true or configurable:false, overrideArgument. (4) Fall through to the standard call to defineOwnProperty. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:158 > + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); > + if (Base::getOwnPropertySlot(thisObject, exec, ident, slot)) { > + if (slot.attributes() & DontDelete) > + return false; > + } Let's make this a helper function: GenericArguments<T>::canDeleteProperty(PropertyName). > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:179 > + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); > + if (Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot)) { > + if (slot.attributes() & DontDelete) > + return false; > + } Ditto.
Caio Lima
Comment 28 2016-07-31 19:08:33 PDT
(In reply to comment #27) > Comment on attachment 283766 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=283766&action=review > > I think I understand the logic here now: It used to be that a property > either aliased *or* lived in JSObject property storage with attributes. > You're adding a new feature that allows a property to alias *and* live in > JSObject property storage with attributes. In this state, somewhat > confusingly, the value stored in JSObject property storage can be bogus > because it is not observed. You should explain this in your ChangeLog. Yes. My change is using the attributes just to check the attribute is DontDelete in deleteProperty*. One alternative is store configurable attribute in an auxiliary structure (such as m_overrides), however, IMHO, it doesn't look as intuitive as checking property attributes. > I think you missed a case where the new property descriptor is not an > accessor, is writable, and is DontDelete. In that case, your code will > return early without setting the DontDelete attribute. Is that right? You are right. Fixing this case. > Can you simplify the logic and duplicated code in > GenericArguments<Type>::defineOwnProperty? Yes. I agree that it can be better implemented. > The relevant cases inside canAccessIndexQuickly, as I understand them, are: > > (1) If the property is not an accessor and has either no attributes or only > the writable:true attribute, set the value and return. > > Otherwise: > > (2) getIndexQuickly and putDirectMayBeIndex. > > (3) If the property has any attributes other than configurable:true or > configurable:false, overrideArgument. > > (4) Fall through to the standard call to defineOwnProperty. > > > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:158 > > + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); > > + if (Base::getOwnPropertySlot(thisObject, exec, ident, slot)) { > > + if (slot.attributes() & DontDelete) > > + return false; > > + } > > Let's make this a helper function: > GenericArguments<T>::canDeleteProperty(PropertyName). > > > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:179 > > + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); > > + if (Base::getOwnPropertySlotByIndex(thisObject, exec, index, slot)) { > > + if (slot.attributes() & DontDelete) > > + return false; > > + } > > Ditto.
Caio Lima
Comment 29 2016-07-31 21:35:48 PDT
Darin Adler
Comment 30 2016-07-31 21:44:49 PDT
Comment on attachment 284980 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=284980&action=review > Source/JavaScriptCore/runtime/GenericArguments.h:59 > +private: > + WebKit coding style does not leave a blank line here. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:165 > + if (!canDeletePropertyById(thisObject, exec, ident)) > + return false; This means looking up every property twice when deleting it, once to see if it can be deleted and then a second time to actually delete it. Is there any way to get the correct behavior without adding the double lookup?
Build Bot
Comment 31 2016-07-31 22:18:10 PDT
Comment on attachment 284980 [details] Patch Attachment 284980 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/1789062 New failing tests: js/arguments.html
Build Bot
Comment 32 2016-07-31 22:18:14 PDT
Created attachment 284981 [details] Archive of layout-test-results from ews105 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews105 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Build Bot
Comment 33 2016-07-31 22:23:02 PDT
Comment on attachment 284980 [details] Patch Attachment 284980 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/1789084 New failing tests: js/arguments.html
Build Bot
Comment 34 2016-07-31 22:23:06 PDT
Created attachment 284982 [details] Archive of layout-test-results from ews100 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews100 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 35 2016-07-31 22:32:55 PDT
Comment on attachment 284980 [details] Patch Attachment 284980 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/1789090 New failing tests: js/arguments.html
Build Bot
Comment 36 2016-07-31 22:32:59 PDT
Created attachment 284983 [details] Archive of layout-test-results from ews117 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews117 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 37 2016-07-31 22:33:18 PDT
Comment on attachment 284980 [details] Patch Attachment 284980 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/1789087 New failing tests: js/arguments.html
Build Bot
Comment 38 2016-07-31 22:33:23 PDT
Created attachment 284984 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.11.5
Caio Lima
Comment 39 2016-07-31 22:42:16 PDT
(In reply to comment #30) > Comment on attachment 284980 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=284980&action=review > > > Source/JavaScriptCore/runtime/GenericArguments.h:59 > > +private: > > + > > WebKit coding style does not leave a blank line here. > > > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:165 > > + if (!canDeletePropertyById(thisObject, exec, ident)) > > + return false; > > This means looking up every property twice when deleting it, once to see if > it can be deleted and then a second time to actually delete it. Is there any > way to get the correct behavior without adding the double lookup? I can't see an clear way to do that, but I am totally open to discuss about a viable solution =). As I commented above, the lookup is necessary because I want to avoid create a new auxiliar data structure to store if the argument[i] is configurable. Since these properties can be sparse, this data structure need to be dynamic such as m_overrides. IMHO the complexity of this kind of optimization isn't worth enough when comparing with readability.
Caio Lima
Comment 40 2016-07-31 22:43:38 PDT
Caio Lima
Comment 41 2016-08-13 15:22:28 PDT
Ping Review
Saam Barati
Comment 42 2016-09-24 16:28:41 PDT
Comment on attachment 284985 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=284985&action=review > Source/JavaScriptCore/ChangeLog:11 > + property cases. Also it is fixing cases where arguments[i] > + cannot be deleted when argument "i" is not configurable. Shouldn't being non-configurable mean you can't be deleted? > Source/JavaScriptCore/ChangeLog:14 > + aliased xor stored in a JSObject with attributes. This patch changes what does it mean to be aliased in this situation? > Source/JavaScriptCore/ChangeLog:18 > + attribute is true. It is important realize that when the attribute is Really? I thought it can't be deleted if configurable is false. That's how normal objects work, anyways. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:145 > + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); Seems like this should be ::VMInquiry. ::GetOwnProperty is allowed to do arbitrary side effects. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:179 > + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); Ditto. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:228 > + if (descriptor.writable() && descriptor.configurable()) Please change the above comment to reflect the new behavior. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:238 > + if ((descriptor.writablePresent() && !descriptor.writable()) || descriptor.isAccessorDescriptor()) Why do we care about it being non-writable? I thought for deleting a property, we care about it being configurable?
Caio Lima
Comment 43 2016-09-25 23:40:38 PDT
Comment on attachment 284985 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=284985&action=review >> Source/JavaScriptCore/ChangeLog:11 >> + cannot be deleted when argument "i" is not configurable. > > Shouldn't being non-configurable mean you can't be deleted? Yes. The current behavior is not following this rule. >> Source/JavaScriptCore/ChangeLog:14 >> + aliased xor stored in a JSObject with attributes. This patch changes > > what does it mean to be aliased in this situation? Aliased I mean that for example: ``` ((a) => { print(a); // prints 2 print(arguments[0]); prints 2 a = 3; print(a); // prints 3 print(arguments[0]); // prints 3 because it is aliased with a })(2); >> Source/JavaScriptCore/ChangeLog:18 >> + attribute is true. It is important realize that when the attribute is > > Really? I thought it can't be deleted if configurable is false. That's how normal objects work, anyways. I think I was not very clear in this ChangeLog. What I am trying to say is that when {configurable: false}, the member can't be deleted. In the current behavior it is not true and when arguments object isn't aliases with parameters, delete operations succeed, which is against specification. >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:145 >> + PropertySlot slot(thisObject, PropertySlot::InternalMethodType::GetOwnProperty); > > Seems like this should be ::VMInquiry. ::GetOwnProperty is allowed to do arbitrary side effects. I am going to change it now. Also, as Darin Adler commented above, it is also not optimized. >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:238 >> + if ((descriptor.writablePresent() && !descriptor.writable()) || descriptor.isAccessorDescriptor()) > > Why do we care about it being non-writable? I thought for deleting a property, we care about it being configurable? This logic here is not related with {configurable}. In this current Patch, the configurable case is checked on lines 192 - 180. Here we are controlling the aliasing of "arguments" object. Checking the specification (http://www.ecma-international.org/ecma-262/7.0/index.html#sec-createunmappedargumentsobject), all indexed elements from arguments are "writable: true", which means that they are aliased by default. To stop the aliasing, "descriptor.writable" need to be present and false.
Caio Lima
Comment 44 2016-09-27 09:28:50 PDT
Created attachment 289955 [details] WIP Fixing arguments aliasing That is the new approach I am taking. It is still failing in a bunch of tests and I think it is GC related. I am going to figure out what is the problem. Running EWS to check failed tests.
WebKit Commit Bot
Comment 45 2016-09-27 09:30:39 PDT
Attachment 289955 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/DirectArguments.cpp:172: An else statement can be removed when the prior "if" concludes with a return, break, continue or goto statement. [readability/control_flow] [4] ERROR: Source/JavaScriptCore/runtime/DirectArguments.h:115: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/DirectArguments.h:116: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/DirectArguments.h:117: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/DirectArguments.h:118: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:38: Should be indented on a separate line, with the colon or comma first on that line. [whitespace/indent] [4] ERROR: Source/JavaScriptCore/runtime/ScopedArguments.cpp:183: An else statement can be removed when the prior "if" concludes with a return, break, continue or goto statement. [readability/control_flow] [4] ERROR: Source/JavaScriptCore/runtime/ScopedArguments.h:118: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/ScopedArguments.h:119: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/ScopedArguments.h:120: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] ERROR: Source/JavaScriptCore/runtime/ScopedArguments.h:121: The parameter name "vm" adds no information, so it should be removed. [readability/parameter_name] [5] Total errors found: 11 in 9 files If any of these errors are false positives, please file a bug against check-webkit-style.
Build Bot
Comment 46 2016-09-27 10:34:41 PDT
Comment on attachment 289955 [details] WIP Fixing arguments aliasing Attachment 289955 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2155460 Number of test failures exceeded the failure limit.
Build Bot
Comment 47 2016-09-27 10:34:46 PDT
Created attachment 289969 [details] Archive of layout-test-results from ews113 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews113 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 48 2016-09-27 10:37:21 PDT
Comment on attachment 289955 [details] WIP Fixing arguments aliasing Attachment 289955 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2155506 Number of test failures exceeded the failure limit.
Build Bot
Comment 49 2016-09-27 10:37:25 PDT
Created attachment 289970 [details] Archive of layout-test-results from ews103 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 50 2016-09-27 10:46:17 PDT
Comment on attachment 289955 [details] WIP Fixing arguments aliasing Attachment 289955 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/2155477 Number of test failures exceeded the failure limit.
Build Bot
Comment 51 2016-09-27 10:46:22 PDT
Created attachment 289975 [details] Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-elcapitan-wk2 Platform: Mac OS X 10.11.6
Build Bot
Comment 52 2016-09-27 10:53:16 PDT
Comment on attachment 289955 [details] WIP Fixing arguments aliasing Attachment 289955 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2155581 Number of test failures exceeded the failure limit.
Build Bot
Comment 53 2016-09-27 10:53:21 PDT
Created attachment 289979 [details] Archive of layout-test-results from ews107 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Caio Lima
Comment 54 2016-09-29 22:33:11 PDT
Created attachment 290296 [details] Patch for landing In this version I am avoiding use GetPropertyDescriptor because of performance. Also, I changed the ChangeLog and the comments.
Build Bot
Comment 55 2016-09-29 23:40:55 PDT
Comment on attachment 290296 [details] Patch for landing Attachment 290296 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2173059 Number of test failures exceeded the failure limit.
Build Bot
Comment 56 2016-09-29 23:41:02 PDT
Created attachment 290303 [details] Archive of layout-test-results from ews115 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews115 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 57 2016-09-29 23:43:53 PDT
Comment on attachment 290296 [details] Patch for landing Attachment 290296 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/2173091 Number of test failures exceeded the failure limit.
Build Bot
Comment 58 2016-09-29 23:44:00 PDT
Created attachment 290305 [details] Archive of layout-test-results from ews103 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-yosemite Platform: Mac OS X 10.10.5
Build Bot
Comment 59 2016-09-29 23:51:40 PDT
Comment on attachment 290296 [details] Patch for landing Attachment 290296 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/2173063 Number of test failures exceeded the failure limit.
Build Bot
Comment 60 2016-09-29 23:51:47 PDT
Created attachment 290306 [details] Archive of layout-test-results from ews122 for ios-simulator-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews122 Port: ios-simulator-elcapitan-wk2 Platform: Mac OS X 10.11.6
Build Bot
Comment 61 2016-09-30 04:37:44 PDT
Comment on attachment 290296 [details] Patch for landing Attachment 290296 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/2174474 Number of test failures exceeded the failure limit.
Build Bot
Comment 62 2016-09-30 04:37:49 PDT
Created attachment 290326 [details] Archive of layout-test-results from ews107 for mac-yosemite-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-yosemite-wk2 Platform: Mac OS X 10.10.5
Caio Lima
Comment 63 2016-09-30 09:54:49 PDT
Created attachment 290344 [details] Patch for landing I changed some files but accident. Now I hope it is going to pass on all tests.
Build Bot
Comment 64 2016-09-30 11:02:53 PDT
Comment on attachment 290344 [details] Patch for landing Attachment 290344 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2176317 New failing tests: ietestcenter/Javascript/11.4.1-4.a-11.html js/preventExtensions.html sputnik/Conformance/10_Execution_Contexts/10.1_Definitions/10.1.8_Arguments_Object/S10.1.8_A3_T3.html sputnik/Conformance/10_Execution_Contexts/10.1_Definitions/10.1.8_Arguments_Object/S10.1.8_A5_T3.html
Build Bot
Comment 65 2016-09-30 11:03:00 PDT
Created attachment 290350 [details] Archive of layout-test-results from ews113 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews113 Port: mac-yosemite Platform: Mac OS X 10.10.5
Caio Lima
Comment 66 2016-09-30 23:55:31 PDT
Created attachment 290429 [details] Patch Fixing index on GenericArguments<DirectArguments>::deleteProperty.
WebKit Commit Bot
Comment 67 2016-10-03 09:24:50 PDT
Attachment 290429 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:243: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 1 in 12 files If any of these errors are false positives, please file a bug against check-webkit-style.
Saam Barati
Comment 68 2016-10-03 15:45:32 PDT
Comment on attachment 290429 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=290429&action=review > Source/JavaScriptCore/runtime/DirectArguments.h:117 > + void initConfigurableMap(VM&); > + void initConfigurableMapIfNecessary(VM&); > + void setConfigurable(VM&, unsigned index, bool value); > + bool isConfigurable(VM&, unsigned index); Why not make these functions on GenericArguments since this is defined the same way inside both? > Source/JavaScriptCore/runtime/DirectArguments.h:157 > + AuxiliaryBarrier<bool*> m_configurableMap; Ditto here, why not make this a field inside GenericArguments? > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:226 > + please revert. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:243 > + ; if (thisObject->canAccessIndexQuickly(i + offset)) Please revert > Source/JavaScriptCore/runtime/ScopedArguments.cpp:182 > + initConfigurableMapIfNecessary(vm); Is this necessary? Can't you just do if (!m_configurableMap) return true; ? > Source/JavaScriptCore/runtime/ScopedArguments.h:152 > + AuxiliaryBarrier<bool*> m_configurableMap; Please move this field below the m_totalLength field for better alignment. (Or move it to GenericAruments as commented above)
Caio Lima
Comment 69 2016-10-04 01:48:15 PDT
Saam Barati
Comment 70 2016-10-09 01:08:30 PDT
Comment on attachment 290583 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=290583&action=review > Source/JavaScriptCore/ChangeLog:11 > + property. Also it is fixing cases where arguments[i] > + cannot be deleted when argument "i" is {configurable: false}. I think you mean you're making it so that arguments[i] can't be deleted, correct? I would maybe write "fixing cases where" => "ensuring that" > Source/JavaScriptCore/ChangeLog:13 > + The current implementation is against to the specification for 2 reasons: I would say "previous" instead of "current" if you're referring to the behavior that is ToT now and what will be the old behavior as your patch lands. > Source/JavaScriptCore/ChangeLog:18 > + It means that we just stop aliasing an property index already > + defined if its property descriptor contains writable and its value I'm confused by what you mean here. > Source/JavaScriptCore/ChangeLog:22 > + 2. When a property is overriden it is always returning true. However I would say "delete" instead of "it" > Source/JavaScriptCore/runtime/DirectArguments.cpp:90 > + size_t configurablesSize = thisObject->m_configurableMap ? thisObject->m_length : 0; Please make this * sizeof(bool). I would also argue that the overridesSize variable above should do the same. I'm not a fan of the style assuming what sizeof(bool) is. > Source/JavaScriptCore/runtime/GenericArguments.h:66 > + static bool canDeletePropertyById(Type*, ExecState*, PropertyName); > + static bool canDeletePropertyByIndex(Type*, ExecState*, unsigned); These aren't implemented anywhere. Please delete. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:212 > + thisObject->setConfigurable(vm, index, descriptor.configurable()); We're guaranteed that it's already configurable before we call this? It seems like maybe we should bail out somewhere if the property is already non-configurable. If i had to guess, maybe this program exhibits the bug: function foo(x) { Object.defineProperty(arguments, 0, {configurable:false, writable:true, value:20}); Object.defineProperty(arguments, 0, {configurable:true, writable:true, value:50}); // Does this succeed? } foo("foo") > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:214 > + // Just overrride arguments (i.e finish aliasing) if its descriptor contains {writable: false}. What do you mean by "finish aliasing" here? > JSTests/microbenchmarks/super-getter.js:1 > +class B { Please remove this file.
Caio Lima
Comment 71 2016-10-09 12:11:39 PDT
Comment on attachment 290583 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=290583&action=review >> Source/JavaScriptCore/ChangeLog:11 >> + cannot be deleted when argument "i" is {configurable: false}. > > I think you mean you're making it so that arguments[i] can't be deleted, correct? I would maybe write "fixing cases where" => "ensuring that" OK. >> Source/JavaScriptCore/ChangeLog:13 >> + The current implementation is against to the specification for 2 reasons: > > I would say "previous" instead of "current" if you're referring to the behavior that is ToT now and what will be the old behavior as your patch lands. Ok. >> Source/JavaScriptCore/runtime/DirectArguments.cpp:90 >> + size_t configurablesSize = thisObject->m_configurableMap ? thisObject->m_length : 0; > > Please make this * sizeof(bool). I would also argue that the overridesSize variable above should do the same. I'm not a fan of the style assuming what sizeof(bool) is. Agreed. >> Source/JavaScriptCore/runtime/GenericArguments.h:66 >> + static bool canDeletePropertyByIndex(Type*, ExecState*, unsigned); > > These aren't implemented anywhere. Please delete. Nice catch. Sorry. >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:212 >> + thisObject->setConfigurable(vm, index, descriptor.configurable()); > > We're guaranteed that it's already configurable before we call this? It seems like maybe we should bail out somewhere if the property is already non-configurable. > If i had to guess, maybe this program exhibits the bug: > function foo(x) { > Object.defineProperty(arguments, 0, {configurable:false, writable:true, value:20}); > Object.defineProperty(arguments, 0, {configurable:true, writable:true, value:50}); // Does this succeed? > } > foo("foo") My guess is that ```Object.defineProperty(arguments, 0, {configurable:true, writable:true, value:50});``` throws TypeError, since we call ```Base::defineOwnProperty``` afterwards. However, I suspect that ```Object.defineProperty(arguments, 0, {configurable:true, writable:true, get: () => {return 50}});``` works and should throw a TypeError instead. >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:214 >> + // Just overrride arguments (i.e finish aliasing) if its descriptor contains {writable: false}. > > What do you mean by "finish aliasing" here? I mean stop mapping. I am changing aliasing from all places that I put it. >> JSTests/microbenchmarks/super-getter.js:1 >> +class B { > > Please remove this file. Sorry...
Caio Lima
Comment 72 2016-10-09 14:38:45 PDT
Saam Barati
Comment 73 2016-10-11 20:52:53 PDT
Comment on attachment 291051 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=291051&action=review > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:194 > + if (optionalIndex && !thisObject->isConfigurable(optionalIndex.value()) && !descriptor.justWritablePresent()) I'm not sure this is correct here. I think you want to be following: https://tc39.github.io/ecma262/#sec-validateandapplypropertydescriptor more or less here, with some extra rules defined in: https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc It looks like the code below falls back to normal object storage. Why not just fall back to normal object storage in every case instead of creating the isConfigurable map? > JSTests/stress/arguments-non-configurable.js:27 > +function tryChangeWritableOfNonConfigurableDescriptor(x) { > + Object.defineProperty(arguments, 0, {configurable: false}); > + Object.defineProperty(arguments, 0, {writable: true}); > + Object.defineProperty(arguments, 0, {writable: false}); > +} This is the specified behavior? This goes against normal object behavior: >>> Object.defineProperty(o, "f", {configurable: false, value: 20}) [object Object] >>> o.f 20 >>> o.f = 40 40 >>> o.f 20 >>> Object.defineProperty(o, "f", {writable: true, value:50}) Exception: TypeError: Attempting to change writable attribute of unconfigurable property.
Caio Lima
Comment 74 2016-10-12 10:58:29 PDT
(In reply to comment #73) > Comment on attachment 291051 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=291051&action=review > > > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:194 > > + if (optionalIndex && !thisObject->isConfigurable(optionalIndex.value()) && !descriptor.justWritablePresent()) > > I'm not sure this is correct here. I think you want to be following: > https://tc39.github.io/ecma262/#sec-validateandapplypropertydescriptor > more or less here, with some extra rules defined in: > https://tc39.github.io/ecma262/#sec-arguments-exotic-objects- > defineownproperty-p-desc Yes. Actually, this patch is totally incorrect. I can reuse some code, but I need a totally different approach. The current Mapping is controlled by m_overrides. I think that finally I understood this mechanism. The idea is to override things as soon as we define a different descriptor from default and fallback operations like defineOwnProperty, getOwnProperty and delete to Base. The problem of this approach is that the ES6 mapping rules changed and this mechanism need to be fixed. I am with a new idea in mind that is separate fallBack operations to Base from mapping rules and I think it can work. > It looks like the code below falls back to normal object storage. Why not > just fall back to normal object storage in every case instead of creatina > the isConfigurable map? > > > JSTests/stress/arguments-non-configurable.js:27 > > +function tryChangeWritableOfNonConfigurableDescriptor(x) { > > + Object.defineProperty(arguments, 0, {configurable: false}); > > + Object.defineProperty(arguments, 0, {writable: true}); > > + Object.defineProperty(arguments, 0, {writable: false}); > > +} > > This is the specified behavior? This goes against normal object behavior: > > >>> Object.defineProperty(o, "f", {configurable: false, value: 20}) > [object Object] > >>> o.f > 20 > >>> o.f = 40 > 40 > >>> o.f > 20 > >>> Object.defineProperty(o, "f", {writable: true, value:50}) > Exception: TypeError: Attempting to change writable attribute of > unconfigurable property. Also, this test case Is incorrect and I am going to remove it. I already created a test case validating spec behavior (https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc).
Caio Lima
Comment 75 2016-10-18 01:44:42 PDT
Caio Lima
Comment 76 2016-11-06 11:37:09 PST
Saam Barati
Comment 77 2016-11-06 14:43:03 PST
Comment on attachment 294029 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=294029&action=review > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:62 > + if (index && thisObject->canAccessIndexQuickly(index.value())) Why can we ever access an index quickly if we've modified an argument at that index? This seems weird to me. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:232 > + // property from arguments object are {writable: true, configurable: true, enumerable: true} by default What if we modify configurable/enumuerable? Should we also stop mapping in such a scenario? I'm confused why we have two vectors: modified/overrides. Can you explain why we need two of them?
Caio Lima
Comment 78 2016-11-06 15:10:39 PST
Comment on attachment 294029 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=294029&action=review >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:62 >> + if (index && thisObject->canAccessIndexQuickly(index.value())) > > Why can we ever access an index quickly if we've modified an argument at that index? This seems weird to me. I tried to explain it on ChangeLog. In this new implementation, canAccessIndexQuickly actually returns if the index is still mapped. When it happens, we need to return property slot with value of "thisObject->getIndexQuickly(index.value())" and with Base::getOwnPropertySlot value. Dos it make sense? I have 2 things in mind to make it clear: 1. Change canAccessIndexQuickly to isIndexMapped; 2. Explain it with a comment; >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:232 >> + // property from arguments object are {writable: true, configurable: true, enumerable: true} by default > > What if we modify configurable/enumuerable? Should we also stop mapping in such a scenario? > I'm confused why we have two vectors: modified/overrides. Can you explain why we need two of them? I also tried to explain it on ChangeLog. I am going to try make it more clear. The point is that the old implementation is using overrides to keep track if the index is still mapped and also if its property descriptor was changed in some way. The problem of this approach is that Mapping rules aren't related with property descriptor changes and we need different mechanism to keep track of them, since a property can still be mapped, even its descriptor has changed. In other words, we stop mapping as soon as a property descriptor is changed, however there are some cases that this mapping should continue happening (e.g. when we change configurable or enumerable to false, for example). One test case that is keeping track of this behavior is JSTests/stress/arguments-bizarre-behaviour-disable-enumerability.js.
Saam Barati
Comment 79 2016-11-06 15:18:11 PST
So if we change enumerable/configurable, we still keep arguments aliased? Only changing writable makes it not aliased? However, if you do change eneumerable/configurable, you still store to JSObject's property mechanism just to keep a record of the descriptor? Am I understanding this correctly?
Caio Lima
Comment 80 2016-11-06 15:30:51 PST
(In reply to comment #79) > So if we change enumerable/configurable, we still keep arguments aliased? Yes. > Only changing writable makes it not aliased? No. It also happens if you use non Data Descriptor (i.e. descriptor contains accessor) > However, if you do change > eneumerable/configurable, you still store to JSObject's property mechanism > just to keep a record of the descriptor? Am I understanding this correctly? Yes. We use JSObject's to consult its descriptor. When the index is mapped, we need to get the value from mapping mechanism (now it is stored on m_overrides). To understand the correct behavior I used these test cases: https://github.com/tc39/test262/tree/master/test/language/arguments-object/mapped Also, https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-defineownproperty-p-desc is presenting when the should stop mapping. Here https://tc39.github.io/ecma262/#sec-arguments-exotic-objects-getownproperty-p we can check steps 5. and 6, that the desc.[[Value]] is updated from mapping when it is being mapped. Does it make more sense now?
Saam Barati
Comment 81 2016-11-21 12:10:50 PST
Comment on attachment 294029 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=294029&action=review patch LGTM. Just a couple comments. Also, I think the names "modified" and "overrides" are somewhat confusing. I want us to try to pick a better name to indicate that they mean. - Overrides => argument is mapped/unmapped - Modified => the descriptor is now changed, however, the argument may or may not be mapped > Source/JavaScriptCore/runtime/DirectArguments.cpp:106 > + if (thisObject->m_modifiedArguments) > + visitor.markAuxiliary(thisObject->m_modifiedArguments.get()); This should be done in the GenericArguments visitChildren method since GenericArguments owns that field. You may need to write a visitCHildren for GenericArguments. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:226 > + if (optionalIndex && thisObject->canAccessIndexQuickly(optionalIndex.value())) { Nit: You can move this branch into the above `if (optionalIndex)` statement and drop the "optionalIndex" part. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:239 > + thisObject->overrideArgument(vm, index); We don't need to set modified here too? > Source/JavaScriptCore/runtime/PropertyDescriptor.h:82 > + please revert > Source/JavaScriptCore/runtime/ScopedArguments.cpp:116 > + if (thisObject->m_modifiedArguments) > + visitor.markAuxiliary(thisObject->m_modifiedArguments.get()); Ditto for this visitChildren
Caio Lima
Comment 82 2016-11-29 15:32:08 PST
Caio Lima
Comment 83 2016-12-19 19:14:32 PST
Saam Barati
Comment 84 2016-12-19 23:26:35 PST
Comment on attachment 297500 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297500&action=review Nice. r=me with comments addressed. > Source/JavaScriptCore/ChangeLog:29 > + to store wich arguments[i] descriptor was changed from its default Typo: wich => which > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:70 > + bool result = Base::getOwnPropertySlot(thisObject, exec, ident, slot); Is this just to get the attributes? > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:234 > + if (thisObject->isMappedArgument(optionalIndex.value())) { Nit: you can just use index since it's defined above. > Source/JavaScriptCore/runtime/GenericArgumentsInlines.h.orig:1 > +/* Oops. Please remove file.
Caio Lima
Comment 85 2016-12-20 09:24:58 PST
Comment on attachment 297500 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=297500&action=review >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:70 >> + bool result = Base::getOwnPropertySlot(thisObject, exec, ident, slot); > > Is this just to get the attributes? Yes! Do you think that there is another way to get them? >> Source/JavaScriptCore/runtime/GenericArgumentsInlines.h:234 >> + if (thisObject->isMappedArgument(optionalIndex.value())) { > > Nit: you can just use index since it's defined above. Nice catch. Thx!
Caio Lima
Comment 86 2016-12-20 09:46:10 PST
Caio Lima
Comment 87 2016-12-20 09:48:40 PST
(In reply to comment #86) > Created attachment 297526 [details] > Patch Patch for landing. Changed code according review.
Caio Lima
Comment 88 2016-12-24 12:51:51 PST
WebKit Commit Bot
Comment 89 2016-12-24 13:27:08 PST
Comment on attachment 297747 [details] Patch Clearing flags on attachment: 297747 Committed r210146: <http://trac.webkit.org/changeset/210146>
WebKit Commit Bot
Comment 90 2016-12-24 13:27:19 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.