[webkit-changes] [WebKit/WebKit] 39476b: [JSC] definePropertyOnReceiver() doesn't account f...

Commit Queue noreply at github.com
Mon May 1 14:51:38 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f
      https://github.com/WebKit/WebKit/commit/39476b8c83f0ac6c9a06582e4d8e5aef0bb0a88f
  Author: Alexey Shvayka <ashvayka at apple.com>
  Date:   2023-05-01 (Mon, 01 May 2023)

  Changed paths:
    A JSTests/stress/define-property-on-receiver-slow-proxy-set-missing-trap.js
    A JSTests/stress/define-property-on-receiver-slow-super-set-property-2.js
    A JSTests/stress/define-property-on-receiver-slow-super-set-property.js
    M JSTests/stress/ordinary-set-exceptions.js
    M Source/JavaScriptCore/runtime/JSObject.cpp

  Log Message:
  -----------
  [JSC] definePropertyOnReceiver() doesn't account for put_by_val_with_this bytecode op
https://bugs.webkit.org/show_bug.cgi?id=256172
<rdar://problem/108750872>

Reviewed by Yusuke Suzuki.

The OrdinarySet revamp in https://webkit.org/b/217916 assumed that there are only 2 cases to take the slow path
for altered receivers: overriden [[Set]] in prototype chain and Reflect.set(). I thought that it's unobservable
to take the fast path otherwise since overriden methods were already called.

However, the third case was missed: put_by_val_with_this bytecode op, which is emitted for setting a property
on `super` base, and with https://webkit.org/b/252602, for ProxyObjectStore IC when the trap is missing.

Among other minor web compatibility bugs, missing that case caused properties to be put right on ProxyObject's
structure, where they are unaccessible, skipping calls to "set" and "defineProperty" traps.

This change relaxes the condition for taking the definePropertyOnReceiverSlow() while ensuring all common
[[Set]] targets like JSArray or `class X extends Y {}` are just as fast.

Regresses the Speedometer2/Flight-TodoMVC by 12-16%, which was recently falsely progressed only as a result
of skipping observable puts that other engines do perform.

* JSTests/stress/define-property-on-receiver-slow-proxy-set-missing-trap.js: Added.
* JSTests/stress/define-property-on-receiver-slow-super-set-property.js: Added.
* JSTests/stress/define-property-on-receiver-slow-super-set-property-2.js: Added.
* JSTests/stress/ordinary-set-exceptions.js: Updated error messages.
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::canDefinePropertyOnReceiverFast):
(JSC::JSObject::definePropertyOnReceiver):

Canonical link: https://commits.webkit.org/263559@main

More information about the webkit-changes mailing list