[webkit-changes] [WebKit/WebKit] d91d51: [JSC] Different @@species getter for each constructor

SUZUKI Sosuke noreply at github.com
Tue Feb 20 13:16:10 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: d91d519d4b06ae84e14ccf1cde231683b0b7d6c4
      https://github.com/WebKit/WebKit/commit/d91d519d4b06ae84e14ccf1cde231683b0b7d6c4
  Author: Sosuke Suzuki <sosuke.suzuki at dr-ubie.com>
  Date:   2024-02-20 (Tue, 20 Feb 2024)

  Changed paths:
    A JSTests/stress/species-equivalence-typedarray.js
    A JSTests/stress/species-equivalence.js
    M Source/JavaScriptCore/runtime/ArrayConstructor.cpp
    M Source/JavaScriptCore/runtime/ArrayConstructor.h
    M Source/JavaScriptCore/runtime/BigIntConstructor.h
    M Source/JavaScriptCore/runtime/BooleanConstructor.cpp
    M Source/JavaScriptCore/runtime/BooleanConstructor.h
    M Source/JavaScriptCore/runtime/DateConstructor.h
    M Source/JavaScriptCore/runtime/ErrorConstructor.h
    M Source/JavaScriptCore/runtime/FinalizationRegistryConstructor.h
    M Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp
    M Source/JavaScriptCore/runtime/JSArrayBufferConstructor.h
    M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
    M Source/JavaScriptCore/runtime/JSGlobalObject.h
    M Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h
    M Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp
    M Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.h
    M Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp
    M Source/JavaScriptCore/runtime/JSPromiseConstructor.h
    M Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp
    M Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.h
    M Source/JavaScriptCore/runtime/MapConstructor.cpp
    M Source/JavaScriptCore/runtime/MapConstructor.h
    M Source/JavaScriptCore/runtime/NumberConstructor.cpp
    M Source/JavaScriptCore/runtime/NumberConstructor.h
    M Source/JavaScriptCore/runtime/RegExpConstructor.cpp
    M Source/JavaScriptCore/runtime/RegExpConstructor.h
    M Source/JavaScriptCore/runtime/SetConstructor.cpp
    M Source/JavaScriptCore/runtime/SetConstructor.h
    M Source/JavaScriptCore/runtime/ShadowRealmConstructor.h
    M Source/JavaScriptCore/runtime/StringConstructor.cpp
    M Source/JavaScriptCore/runtime/StringConstructor.h
    M Source/JavaScriptCore/runtime/SymbolConstructor.h
    M Source/JavaScriptCore/runtime/WeakMapConstructor.h
    M Source/JavaScriptCore/runtime/WeakObjectRefConstructor.h
    M Source/JavaScriptCore/runtime/WeakSetConstructor.h

  Log Message:
  -----------
  [JSC] Different @@species getter for each constructor
https://bugs.webkit.org/show_bug.cgi?id=267039

Reviewed by Keith Miller.

In JavaScriptCore, `Object.getOwnPropertyDescriptor(Array, Symbol.species).get === Object.getOwnPropertyDescriptor(RegExp, Symbol.species).get` evaluates to true.
This patch changes the @@species getters of each constructor to be different objects, so that the result of this expression becomes false.
Remove the global `m_speciesGetterSetter` and create `m_arraySpeciesGetterSetter` and `m_regExpSpeciesGetterSetter` and ... for each constructor.
Instead of passing the `GetterSetter*` type values as arguments to the create function of each constructor, refer to them from the `globalObject`.

https://tc39.es/ecma262/#sec-get-regexp-@@species
https://tc39.es/ecma262/#sec-get-array-@@species
https://tc39.es/ecma262/#sec-get-%typedarray%-@@species
https://tc39.es/ecma262/#sec-get-map-@@species
https://tc39.es/ecma262/#sec-get-set-@@species
https://tc39.es/ecma262/#sec-get-arraybuffer-@@species
https://tc39.es/ecma262/#sec-sharedarraybuffer-@@species
https://tc39.es/ecma262/#sec-get-promise-@@species

* JSTests/stress/species-equivalence-typedarray.js: Added.
(shouldBe):
(readTypedArraySymbolSpeciesGetter):
(runTest):
* JSTests/stress/species-equivalence.js: Added.
(shouldNotBe):
(readSymbolSpeciesGetter):
(runTest):
* Source/JavaScriptCore/runtime/ArrayConstructor.cpp:
(JSC::ArrayConstructor::finishCreation):
* Source/JavaScriptCore/runtime/ArrayConstructor.h:
* Source/JavaScriptCore/runtime/BigIntConstructor.h:
* Source/JavaScriptCore/runtime/BooleanConstructor.cpp:
(JSC::BooleanConstructor::create):
* Source/JavaScriptCore/runtime/BooleanConstructor.h:
* Source/JavaScriptCore/runtime/DateConstructor.h:
* Source/JavaScriptCore/runtime/ErrorConstructor.h:
* Source/JavaScriptCore/runtime/FinalizationRegistryConstructor.h:
* Source/JavaScriptCore/runtime/JSArrayBufferConstructor.cpp:
(JSC::JSGenericArrayBufferConstructor<sharingMode>::finishCreation):
* Source/JavaScriptCore/runtime/JSArrayBufferConstructor.h:
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildrenImpl):
(JSC::JSGlobalObject::tryInstallSpeciesWatchpoint):
(JSC::JSGlobalObject::installArraySpeciesWatchpoint):
(JSC::JSGlobalObject::tryInstallArrayBufferSpeciesWatchpoint):
(JSC::JSGlobalObject::tryInstallTypedArraySpeciesWatchpoint):
(JSC::JSGlobalObject::installTypedArrayConstructorSpeciesWatchpoint):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::arraySpeciesGetterSetter const):
(JSC::JSGlobalObject::typedArraySpeciesGetterSetter const):
(JSC::JSGlobalObject::speciesGetterSetter const): Deleted.
* Source/JavaScriptCore/runtime/JSGlobalObjectInlines.h:
(JSC::JSGlobalObject::arrayBufferSpeciesGetterSetter const):
* Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.cpp:
(JSC::JSInternalPromiseConstructor::create):
* Source/JavaScriptCore/runtime/JSInternalPromiseConstructor.h:
* Source/JavaScriptCore/runtime/JSPromiseConstructor.cpp:
(JSC::JSPromiseConstructor::create):
(JSC::JSPromiseConstructor::finishCreation):
* Source/JavaScriptCore/runtime/JSPromiseConstructor.h:
* Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.cpp:
(JSC::JSTypedArrayViewConstructor::finishCreation):
* Source/JavaScriptCore/runtime/JSTypedArrayViewConstructor.h:
* Source/JavaScriptCore/runtime/MapConstructor.cpp:
(JSC::MapConstructor::finishCreation):
* Source/JavaScriptCore/runtime/MapConstructor.h:
* Source/JavaScriptCore/runtime/NumberConstructor.cpp:
(JSC::NumberConstructor::create):
* Source/JavaScriptCore/runtime/NumberConstructor.h:
* Source/JavaScriptCore/runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::finishCreation):
* Source/JavaScriptCore/runtime/RegExpConstructor.h:
* Source/JavaScriptCore/runtime/SetConstructor.cpp:
(JSC::SetConstructor::finishCreation):
* Source/JavaScriptCore/runtime/SetConstructor.h:
* Source/JavaScriptCore/runtime/ShadowRealmConstructor.h:
* Source/JavaScriptCore/runtime/StringConstructor.cpp:
(JSC::StringConstructor::create):
* Source/JavaScriptCore/runtime/StringConstructor.h:
* Source/JavaScriptCore/runtime/SymbolConstructor.h:
* Source/JavaScriptCore/runtime/WeakMapConstructor.h:
* Source/JavaScriptCore/runtime/WeakObjectRefConstructor.h:
* Source/JavaScriptCore/runtime/WeakSetConstructor.h:

Canonical link: https://commits.webkit.org/275064@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list