[Webkit-unassigned] [Bug 208337] New: Fix semantic bugs in put inline caching

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=208337

            Bug ID: 208337
           Summary: Fix semantic bugs in put inline caching
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: justin_michaud at apple.com

Put inline caching is semantically incorrect in some cases with poly proto. See https://bugs.webkit.org/show_bug.cgi?id=208261. 
We sometimes continue to cache a setter, even though it has changed the prototype chain. Additional cases to consider are puts 
involving prototype chains that have static property accessors. This is exposed as a result of 206430 since DefineOwnProperty 
used to transition to uncacheable dictionary.

        A - setter for x defines a new setter for x on B
        |
        B
        |
        C

        We set (new C).x

        We first call the setter, then try to figure out what the state of things
        were before it was called. We see that A's setter still exists, so we cache it
        without ever checking that B has a setter now too.

        In the code, A = target, C = base.

Get is correct because it collects caching information before any calls.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200227/e9092b84/attachment-0001.htm>