193423 – JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.

RESOLVED FIXED 193423

JSFunction::canUseAllocationProfile() should account for builtin functions with no own prototypes.

https://bugs.webkit.org/show_bug.cgi?id=193423

Summary JSFunction::canUseAllocationProfile() should account for builtin functions wi...

Mark Lam

Reported 2019-01-14 18:25:54 PST

<rdar://problem/46209355>

Attachments
proposed patch. (5.21 KB, patch) 2019-01-14 18:49 PST, Mark Lam	saam: review-	Details Formatted Diff Diff
proposed patch. (6.81 KB, patch) 2019-01-14 22:24 PST, Mark Lam	saam: review+	Details Formatted Diff Diff
patch for landing. (8.74 KB, patch) 2019-01-15 18:44 PST, Mark Lam	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Mark Lam

Comment 1 2019-01-14 18:49:03 PST

Created attachment 359116 [details] proposed patch.

Saam Barati

Comment 2 2019-01-14 18:50:40 PST

Comment on attachment 359116 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=359116&action=review > Source/JavaScriptCore/runtime/JSFunctionInlines.h:125 > + if (prototype.isCell()) { > + JSCell* cell = prototype.asCell(); > + if (cell->isGetterSetter() || cell->isCustomGetterSetter() || cell->isProxy()) > + return false; > + } Not a fan of this. Can you do the structure lookup along w/ and inspect the bits that say if this is a getter/setter?

Mark Lam

Comment 3 2019-01-14 22:24:17 PST

Created attachment 359137 [details] proposed patch.

Saam Barati

Comment 4 2019-01-15 12:19:54 PST

Comment on attachment 359137 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=359137&action=review r=me > Source/JavaScriptCore/ChangeLog:10 > + because the majority of them has no prototype property. The only exception to s/has/have > Source/JavaScriptCore/runtime/JSFunctionInlines.h:120 > + if (!prototype || (attributes & PropertyAttribute::AccessorOrCustomAccessorOrValue)) Can we add a test case for this? Like define a getter as the prototype of a random builtin function.

Mark Lam

Comment 5 2019-01-15 18:44:10 PST

Created attachment 359239 [details] patch for landing. Thanks for the review.

Mark Lam

Comment 6 2019-01-16 10:12:02 PST

Landed in r240040: <http://trac.webkit.org/r240040>.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Mark Lam

Reported

2019-01-14 18:25 PST

Modified

2019-01-16 10:12 PST History

CC List

9 users Show

URL

Keywords InRadar

Depends on

Blocks