Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/ChangeLog (224479 => 224480)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/ChangeLog 2017-11-06 06:47:46 UTC (rev 224479)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/ChangeLog 2017-11-06 06:56:42 UTC (rev 224480)
@@ -1,3 +1,25 @@
+2017-11-05 Jason Marcell <jmarc...@apple.com>
+
+ Cherry-pick r224416. rdar://problem/35339831
+
+ 2017-11-03 Keith Miller <keith_mil...@apple.com>
+
+ PutProperytSlot should inform the IC about the property before effects.
+ https://bugs.webkit.org/show_bug.cgi?id=179262
+
+ Reviewed by Mark Lam.
+
+ This patch fixes an issue where we choose to cache setters based on
+ incorrect information. If we did so we might end up OSR exiting
+ more than we would otherwise need to. The new model is that the
+ PutPropertySlot should inform the IC of what the property looked
+ like before any potential side effects might have occurred.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putInlineSlow):
+ * runtime/Lookup.h:
+ (JSC::putEntry):
+
2017-11-02 Jason Marcell <jmarc...@apple.com>
Cherry-pick r224366. rdar://problem/35329721
Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/runtime/JSObject.cpp (224479 => 224480)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/runtime/JSObject.cpp 2017-11-06 06:47:46 UTC (rev 224479)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/runtime/JSObject.cpp 2017-11-06 06:56:42 UTC (rev 224480)
@@ -771,17 +771,23 @@
JSValue gs = obj->getDirect(offset);
if (gs.isGetterSetter()) {
- bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+ // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
if (!structure()->isDictionary())
slot.setCacheableSetter(obj, offset);
+
+ bool result = callSetter(exec, slot.thisValue(), gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
+ RETURN_IF_EXCEPTION(scope, false);
return result;
}
if (gs.isCustomGetterSetter()) {
- bool result = callCustomSetter(exec, gs, attributes & CustomAccessor, obj, slot.thisValue(), value);
+ // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
if (attributes & CustomAccessor)
slot.setCustomAccessor(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
else
slot.setCustomValue(obj, jsCast<CustomGetterSetter*>(gs.asCell())->setter());
+
+ bool result = callCustomSetter(exec, gs, attributes & CustomAccessor, obj, slot.thisValue(), value);
+ RETURN_IF_EXCEPTION(scope, false);
return result;
}
ASSERT(!(attributes & Accessor));
Modified: branches/safari-604.4.7.10-branch/Source/_javascript_Core/runtime/Lookup.h (224479 => 224480)
--- branches/safari-604.4.7.10-branch/Source/_javascript_Core/runtime/Lookup.h 2017-11-06 06:47:46 UTC (rev 224479)
+++ branches/safari-604.4.7.10-branch/Source/_javascript_Core/runtime/Lookup.h 2017-11-06 06:56:42 UTC (rev 224480)
@@ -284,11 +284,14 @@
ASSERT_WITH_MESSAGE(!(entry->attributes() & DOMJITAttribute), "DOMJITAttribute supports readonly attributes currently.");
bool isAccessor = entry->attributes() & CustomAccessor;
JSValue updateThisValue = entry->attributes() & CustomAccessor ? slot.thisValue() : JSValue(base);
- bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+ // We need to make sure that we decide to cache this property before we potentially execute aribitrary JS.
if (isAccessor)
slot.setCustomAccessor(base, entry->propertyPutter());
else
slot.setCustomValue(base, entry->propertyPutter());
+
+ bool result = callCustomSetter(exec, entry->propertyPutter(), isAccessor, updateThisValue, value);
+ RETURN_IF_EXCEPTION(scope, false);
return result;
}
