Created attachment 317982 [details]
the patch

Comment on attachment 317982 [details]
the patch

r=me
Does polymorphic access also access scoped arguments for “length”?

(In reply to Saam Barati from comment #2)
> Comment on attachment 317982 [details]
> the patch
> 
> r=me
> Does polymorphic access also access scoped arguments for “length”?

Yeah.  Since that's not an indexed access, we don't have to do caging there.  We could do it, but then we'd be wagging the dog.

The objective here is to make indexed accesses never go outside of a cage.

Therefore, we but the object being accessed into a cage.

This does not mean that all non-indexed accesses to that object need caging.  I don't think that the upside of doing that would be worth the perf.

Landed in https://trac.webkit.org/changeset/220624/webkit

<rdar://problem/33864284>

(In reply to Filip Pizlo from comment #3)
> (In reply to Saam Barati from comment #2)
> > Comment on attachment 317982 [details]
> > the patch
> > 
> > r=me
> > Does polymorphic access also access scoped arguments for “length”?
> 
> Yeah.  Since that's not an indexed access, we don't have to do caging there.
> We could do it, but then we'd be wagging the dog.
> 
> The objective here is to make indexed accesses never go outside of a cage.
> 
> Therefore, we but the object being accessed into a cage.
> 
> This does not mean that all non-indexed accesses to that object need caging.
> I don't think that the upside of doing that would be worth the perf.

Makes sense. We had this conversation before in a different context, I just forgot :)