[webkit-changes] [WebKit/WebKit] 1b0741: [JSC] putByValWithThis shouldn't bypass defineProp...

[Commit Queue]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1b0741f400ee2d31931ae30f2ddebe66e8fb0945
      https://github.com/WebKit/WebKit/commit/1b0741f400ee2d31931ae30f2ddebe66e8fb0945
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-07-31 (Mon, 31 Jul 2023)

  Changed paths:
    A JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js

  Log Message:
  -----------
  [JSC] putByValWithThis shouldn't bypass definePropertyOnReceiverSlow
https://bugs.webkit.org/show_bug.cgi?id=257164
<rdar://108759737>

Reviewed by Yusuke Suzuki.

The OrdinarySet revamp in https://webkit.org/b/217916 assumed that there are only 2 cases to take the slow path
for altered receivers: overriden [[Set]] in prototype chain and Reflect.set(). I thought that it's unobservable
to take the fast path otherwise since overriden methods were already called.

However, the third case was missed: put_by_val_with_this bytecode op, which is emitted for setting a property
on `super` base, and with https://webkit.org/b/252602, for ProxyObjectStore IC when the trap is missing.

Among other minor web compatibility bugs, missing that case caused properties to be put right on ProxyObject's
structure, where they are unaccessible, skipping calls to "set" and "defineProperty" traps.

This change relaxes the condition for taking the definePropertyOnReceiverSlow() while ensuring all common
[[Set]] targets like JSArray or `class X extends Y {}` are just as fast.

* JSTests/stress/define-property-on-receiver-jsfunction-prototype-no-crash.js: Added.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::canDefinePropertyOnReceiverFast):
(JSC::JSObject::definePropertyOnReceiver):

Originally-landed-as: 259548.774 at safari-7615-branch (23e9761b5751). rdar://108759737
Canonical link: https://commits.webkit.org/266439@main