RESOLVED FIXED 165401
GetByID IC is wrongly unwrapping the global proxy this value for getter/setters. 
https://bugs.webkit.org/show_bug.cgi?id=165401
Summary GetByID IC is wrongly unwrapping the global proxy this value for getter/setters.
Mark Lam
Reported 2016-12-05 12:36:53 PST
Here's the test case: function test(x) { x.__proto__ } for (var i = 0; i < 10000; i++) test(this); As soon as test is JIT compiled and the GetById IC gets optimized, we'll get an exception: TypeError: Object.prototype.__proto__ called on null or undefined This should never be the case because x (in the test above) is never null or undefined.
Attachments
proposed patch. (49.51 KB, patch)
2016-12-05 19:51 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
patch for EWS testing. Not ready for review. (5.06 KB, patch)
2016-12-06 14:56 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (6.61 KB, patch)
2016-12-06 17:01 PST, Mark Lam 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-12-05 19:51:42 PST
Created attachment 296250 [details] proposed patch.
Mark Lam
Comment 2 2016-12-05 19:52:59 PST
<rdar://problem/29442665>
Mark Lam
Comment 3 2016-12-05 19:58:29 PST
<rdar://problem/29442665> is the wrong bug.
Mark Lam
Comment 4 2016-12-06 14:56:24 PST
Created attachment 296327 [details] patch for EWS testing. Not ready for review. I'm temporarily using RELEASE_ASSERTs instead of ASSERTs because I'm testing with a release build locally. Will replace with ASSERTs when I'm done. I am expecting one of these asserts to fail though, thereby indicating another latent bug ... but will see if I'm right. Will fix if needed.
Mark Lam
Comment 5 2016-12-06 17:01:04 PST
Created attachment 296353 [details] proposed patch. Ready for a review.
Saam Barati
Comment 6 2016-12-06 17:30:54 PST
Comment on attachment 296353 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=296353&action=review r=me > Source/JavaScriptCore/ChangeLog:8 > + Getters/setters are expecting the unwrapped global proxy object. This is Don't you mean wrapped, not unwrapped?
Saam Barati
Comment 7 2016-12-06 17:32:23 PST
(In reply to comment #6) > Comment on attachment 296353 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=296353&action=review > > r=me > > > Source/JavaScriptCore/ChangeLog:8 > > + Getters/setters are expecting the unwrapped global proxy object. This is > > Don't you mean wrapped, not unwrapped? Maybe this terminology is weird. I'd just say, they're expecting a JSProxy, not a JSGlobalObject.
Mark Lam
Comment 8 2016-12-06 17:32:35 PST
Comment on attachment 296353 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=296353&action=review >> Source/JavaScriptCore/ChangeLog:8 >> + Getters/setters are expecting the unwrapped global proxy object. This is > > Don't you mean wrapped, not unwrapped? Oops, that should be "wrapped". Thanks for catching this.
Mark Lam
Comment 9 2016-12-06 19:01:40 PST
(In reply to comment #8) > Comment on attachment 296353 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=296353&action=review > > >> Source/JavaScriptCore/ChangeLog:8 > >> + Getters/setters are expecting the unwrapped global proxy object. This is > > > > Don't you mean wrapped, not unwrapped? > > Oops, that should be "wrapped". Thanks for catching this. Agreed. I'll change that blob of text to say: "When the this value for a property access is the JS global and that property access is via a GetterSetter, the underlying getter / setter functions would expect the this value they receive to be the JSProxy instance instead of the JSGlobalObject. This is consistent with how the LLINT and runtime code behaves. The IC code should behave the same way."
Mark Lam
Comment 10 2016-12-06 19:13:22 PST
Thanks for the review. Landed in r209442: <http://trac.webkit.org/r209442>.
Note You need to log in before you can comment on or make changes to this bug.