RESOLVED FIXED 185968
Enforce invariant that GetterSetter objects are immutable. 
https://bugs.webkit.org/show_bug.cgi?id=185968
Summary Enforce invariant that GetterSetter objects are immutable.
Mark Lam
Reported 2018-05-24 17:52:10 PDT
Patch coming.
Attachments
proposed patch. (24.68 KB, patch)
2018-05-24 17:55 PDT, Mark Lam 		saam: review+
DetailsFormatted DiffDiff
patch for landing. (25.19 KB, patch)
2018-05-25 13:07 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-05-24 17:52:50 PDT
<rdar://problem/40541416>
Mark Lam
Comment 2 2018-05-24 17:55:43 PDT
Created attachment 341237 [details] proposed patch.
Mark Lam
Comment 3 2018-05-24 19:13:50 PDT
Comment on attachment 341237 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=341237&action=review > Source/JavaScriptCore/ChangeLog:3 > + Enforce invariant that GetterSetter objects are invariant. This should say that GetterSetters are immutable, not “invariant”.
Saam Barati
Comment 4 2018-05-24 21:23:58 PDT
Comment on attachment 341237 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=341237&action=review r=me >> Source/JavaScriptCore/ChangeLog:3 >> + Enforce invariant that GetterSetter objects are invariant. > > This should say that GetterSetters are immutable, not “invariant”. is there a test or some explanation here of what's going on? > Source/JavaScriptCore/runtime/JSObject.cpp:3582 > + RETURN_IF_EXCEPTION(scope, false); Why can this throw?
Mark Lam
Comment 5 2018-05-25 12:05:43 PDT
Comment on attachment 341237 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=341237&action=review >>> Source/JavaScriptCore/ChangeLog:3 >>> + Enforce invariant that GetterSetter objects are invariant. >> >> This should say that GetterSetters are immutable, not “invariant”. > > is there a test or some explanation here of what's going on? I'll add some commentary here: "The code already assumes the invariant that GetterSetter objects are immutable. For example, the use of @tryGetById in builtins expect this invariant to be true. The existing code mostly enforces this except for one case: JSObject's validateAndApplyPropertyDescriptor, where it will re-use the same GetterSetter object. This patch enforces this invariant by removing the setGetter and setSetter methods of GetterSetter, and requiring the getter/setter callback functions to be specified at construction time." >> Source/JavaScriptCore/runtime/JSObject.cpp:3582 >> + RETURN_IF_EXCEPTION(scope, false); > > Why can this throw? I carried this over from LLIntSlowPath's slow_path_put_getter_setter_by_id, and was thinking OOM at the time. After thinking about it some more, I believe this is not needed. I'll remove it (along with the LLIntSlowPath exception check) and retest.
Mark Lam
Comment 6 2018-05-25 13:07:08 PDT
Created attachment 341314 [details] patch for landing.
WebKit Commit Bot
Comment 7 2018-05-25 16:18:21 PDT
Comment on attachment 341314 [details] patch for landing. Clearing flags on attachment: 341314 Committed r232211: <https://trac.webkit.org/changeset/232211>
WebKit Commit Bot
Comment 8 2018-05-25 16:18:22 PDT
All reviewed patches have been landed. Closing bug.
mitz
Comment 9 2018-05-27 19:51:26 PDT
(In reply to WebKit Commit Bot from comment #7) > Comment on attachment 341314 [details] > patch for landing. > > Clearing flags on attachment: 341314 > > Committed r232211: <https://trac.webkit.org/changeset/232211> This broke the 32-bit !ASSERT_DISABLED build. I attempted to fix it in <https://trac.webkit.org/r232231>.
Note You need to log in before you can comment on or make changes to this bug.