[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373

oliver at apple.com oliver at apple.com
Thu Apr 8 00:32:12 UTC 2010 

The following commit has been merged in the webkit-1.2 branch:
commit 3079cb0a0072a8c4ccb892a52a67dd51f1fb8ea6
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Dec 11 02:22:07 2009 +0000

    Incorrect caching of prototype lookup with dictionary base
    https://bugs.webkit.org/show_bug.cgi?id=32402
    
    Reviewed by Gavin Barraclough
    
    Make sure we don't add cached prototype lookup to the proto_list
    lookup chain if the top level object is a dictionary.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@51976 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index f1b176a..3e9187b 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2009-12-10  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Incorrect caching of prototype lookup with dictionary base
+        https://bugs.webkit.org/show_bug.cgi?id=32402
+
+        Make sure we don't add cached prototype lookup to the proto_list
+        lookup chain if the top level object is a dictionary.
+
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCacheGetByID):
+
 2009-12-10  Gavin Barraclough  <barraclough at apple.com>
 
         Reviewed by Oliver Hunt.
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index 1a7f57f..8dd7a97 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -847,6 +847,8 @@ NEVER_INLINE void JITThunks::tryCacheGetByID(CallFrame* callFrame, CodeBlock* co
         
         stubInfo->initGetByIdProto(structure, slotBaseObject->structure());
 
+        ASSERT(!structure->isDictionary());
+        ASSERT(!slotBaseObject->structure()->isDictionary());
         JIT::compileGetByIdProto(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, slotBaseObject->structure(), slot.cachedOffset(), returnAddress);
         return;
     }
@@ -1365,7 +1367,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list)
 
     CHECK_FOR_EXCEPTION();
 
-    if (!baseValue.isCell() || !slot.isCacheable() || asCell(baseValue)->structure()->isUncacheableDictionary()) {
+    if (!baseValue.isCell() || !slot.isCacheable() || asCell(baseValue)->structure()->isDictionary()) {
         ctiPatchCallByReturnAddress(callFrame->codeBlock(), STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
         return JSValue::encode(result);
     }
@@ -1380,6 +1382,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list)
     if (slot.slotBase() == baseValue)
         ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_fail));
     else if (slot.slotBase() == asCell(baseValue)->structure()->prototypeForLookup(callFrame)) {
+        ASSERT(!asCell(baseValue)->structure()->isDictionary());
         // Since we're accessing a prototype in a loop, it's a good bet that it
         // should not be treated as a dictionary.
         if (slotBaseObject->structure()->isDictionary())
@@ -1393,6 +1396,7 @@ DEFINE_STUB_FUNCTION(EncodedJSValue, op_get_by_id_proto_list)
         if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1))
             ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full));
     } else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase())) {
+        ASSERT(!asCell(baseValue)->structure()->isDictionary());
         int listIndex;
         PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
 
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index d03903d..658decb 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-12-10  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Incorrect caching of prototype lookup with dictionary base
+        https://bugs.webkit.org/show_bug.cgi?id=32402
+
+        Adding test for prototype caching through a dictionary
+
+        * fast/js/dictionary-prototype-caching-expected.txt:
+        * fast/js/script-tests/dictionary-prototype-caching.js:
+        (testFunction):
+
 2009-12-10  Alexey Proskuryakov  <ap at apple.com>
 
         Reviewed by Darin Adler.
diff --git a/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt b/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt
index 72c4073..6184a75 100644
--- a/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt
+++ b/LayoutTests/fast/js/dictionary-prototype-caching-expected.txt
@@ -7,6 +7,9 @@ PASS protoTest(o) is 'PASS'
 PASS protoTest(o) is undefined.
 PASS protoKeys is [1,2,3]
 PASS protoKeys is [1,2,3]
+PASS testFunction(subclass1) is true
+PASS testFunction(subclass2) is true
+PASS testFunction(subclass2) is true
 PASS successfullyParsed is true
 
 TEST COMPLETE
diff --git a/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js b/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js
index 68ba1c6..8fc2636 100644
--- a/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js
+++ b/LayoutTests/fast/js/script-tests/dictionary-prototype-caching.js
@@ -54,4 +54,21 @@ for (var i in proto)
 
 shouldBe("protoKeys", "[1,2,3]");
 
+function testFunction(o) {
+    return o.test;
+}
+
+var proto = { test: true };
+var subclass1 = { __proto__: proto };
+var subclass2 = { __proto__: proto };
+for (var i = 0; i < 500; i++)
+    subclass2["a"+i]="a"+i;
+
+testFunction(subclass1);
+shouldBeTrue("testFunction(subclass1)");
+shouldBeTrue("testFunction(subclass2)");
+proto.test = false
+subclass2.test = true;
+shouldBeTrue("testFunction(subclass2)");
+
 successfullyParsed = true;

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list