Bug 208337 - Fix semantic bugs in put inline caching
Summary: Fix semantic bugs in put inline caching
Status: RESOLVED CONFIGURATION CHANGED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Justin Michaud
URL:
Keywords:
Depends on: 208261
Blocks:
  Show dependency treegraph
 
Reported: 2020-02-27 13:32 PST by Justin Michaud
Modified: 2024-04-08 13:37 PDT (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Justin Michaud 2020-02-27 13:32:11 PST 
Put inline caching is semantically incorrect in some cases with poly proto. See https://bugs.webkit.org/show_bug.cgi?id=208261. 
We sometimes continue to cache a setter, even though it has changed the prototype chain. Additional cases to consider are puts 
involving prototype chains that have static property accessors. This is exposed as a result of 206430 since DefineOwnProperty 
used to transition to uncacheable dictionary.

        A - setter for x defines a new setter for x on B
        |
        B
        |
        C

        We set (new C).x

        We first call the setter, then try to figure out what the state of things
        were before it was called. We see that A's setter still exists, so we cache it
        without ever checking that B has a setter now too.

        In the code, A = target, C = base.

Get is correct because it collects caching information before any calls.
Comment 1 Justin Michaud 2024-04-08 13:37:16 PDT 
Closing old bugs assigned to me
Comment 2 Justin Michaud 2024-04-08 13:37:36 PDT 
Closing old bugs assigned to me