[ESNext][JIT] Add support for UntypedUse on PutPrivateName's base operand

ticaiolima@gmail.com · ticaiolima@gmail.com · commit dc9049661d4d · 2020-10-18T13:24:38.000Z
https://bugs.webkit.org/show_bug.cgi?id=217373 Reviewed by Yusuke Suzuki. JSTests: * stress/get-private-name-with-primitive.js: Added. * stress/put-private-name-untyped-use.js: Added. * stress/put-private-name-with-primitive.js: Added. Source/JavaScriptCore: This patch is adding UntypedUse for `PutPrivateName`'s base operand to avoid a OSR when we have a non-cell base. Also, it is fixing a bug on private field operations `get_private_name` and `put_private_name` to call `ToObject` on base to properly support class fields spec text[1][2]. [1] - https://tc39.es/proposal-class-fields/#sec-getvalue [2] - https://tc39.es/proposal-class-fields/#sec-putvalue * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compilePutPrivateName): * ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName): * jit/JITOperations.cpp: (JSC::setPrivateField): (JSC::definePrivateField): (JSC::JSC_DEFINE_JIT_OPERATION): (JSC::getPrivateName): * jit/JITPropertyAccess.cpp: (JSC::JIT::emit_op_put_private_name): * jit/JITPropertyAccess32_64.cpp: (JSC::JIT::emit_op_put_private_name): * llint/LLIntSlowPaths.cpp: (JSC::LLInt::LLINT_SLOW_PATH_DECL): * runtime/CommonSlowPaths.cpp: Previous implementation was wrongly considering that base was always an object, causing segmentation fault when base was not an object. We changed this to handle cases when base is not and object, following what spec text specifies. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@268656 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,14 @@
+2020-10-18  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][JIT] Add support for UntypedUse on PutPrivateName's base operand
+        https://bugs.webkit.org/show_bug.cgi?id=217373
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/get-private-name-with-primitive.js: Added.
+        * stress/put-private-name-untyped-use.js: Added.
+        * stress/put-private-name-with-primitive.js: Added.
+
 2020-10-17  Ross Kirsling  <ross.kirsling@sony.com>
 
         Ensure %TypedArray% essential internal methods adhere to spec
diff --git a/JSTests/stress/get-private-name-with-primitive.js b/JSTests/stress/get-private-name-with-primitive.js
@@ -0,0 +1,51 @@
+//@ requireOptions("--usePrivateClassFields=true")
+
+let assert = {
+    shouldThrow: function(exception, functor) {
+        let threwException;
+        try {
+            functor();
+            threwException = false;
+        } catch(e) {
+            threwException = true;
+            if (!e instanceof exception)
+                throw new Error("Expected to throw: " + exception.name + " but it throws: " + e.name);
+        }
+
+        if (!threwException)
+            throw new Error("Expected to throw: " + exception.name + " but executed without exception");
+    }
+}
+
+class C {
+  #field = 'test';
+
+  getField(v) {
+      this.#field;
+  }
+}
+noInline(C.constructor);
+noInline(C.prototype.getField);
+
+
+let c = new C();
+
+assert.shouldThrow(TypeError, () => {
+    c.getField.call(15);
+});
+assert.shouldThrow(TypeError, () => {
+    c.getField.call('test');
+});
+assert.shouldThrow(TypeError, () => {
+    c.getField.call(Symbol);
+});
+assert.shouldThrow(TypeError, () => {
+    c.getField.call(null);
+});
+assert.shouldThrow(TypeError, () => {
+    c.getField.call(undefined);
+});
+assert.shouldThrow(TypeError, () => {
+    c.getField.call(10n);
+});
+
diff --git a/JSTests/stress/put-private-name-untyped-use.js b/JSTests/stress/put-private-name-untyped-use.js
@@ -0,0 +1,55 @@
+//@ requireOptions("--allowUnsupportedTiers=true", "--usePrivateClassFields=true", "--useAccessInlining=false")
+
+let assert = {
+    shouldThrow: function(exception, functor) {
+        let threwException;
+        try {
+            functor();
+            threwException = false;
+        } catch(e) {
+            threwException = true;
+            if (!e instanceof exception)
+                throw new Error("Expected to throw: " + exception.name + " but it throws: " + e.name);
+        }
+
+        if (!threwException)
+            throw new Error("Expected to throw: " + exception.name + " but executed without exception");
+    }
+}
+
+class C {
+  #field;
+
+  setField(v) {
+      let o = this;
+      // This branch is here to avoid PutPrivateNameById to be folded as 
+      // PutByOffset.
+      if (v > 100)
+          o = {};
+      o.#field = v;
+  }
+}
+noInline(C.constructor);
+noInline(C.prototype.setField);
+
+let c = new C();
+
+// Let's trigger JIT compilation for `C.prototype.setField`
+for (let i = 0; i < 10000; i++) {
+    c.setField(15);
+}
+
+for (let i = 0; i < 10000; i++) {
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(15, 'test');
+    });
+
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call('string', 'test');
+    });
+
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(Symbol('symbol'), 'test');
+    });
+}
+
diff --git a/JSTests/stress/put-private-name-with-primitive.js b/JSTests/stress/put-private-name-with-primitive.js
@@ -0,0 +1,53 @@
+//@ requireOptions("--usePrivateClassFields=true")
+
+let assert = {
+    shouldThrow: function(exception, functor) {
+        let threwException;
+        try {
+            functor();
+            threwException = false;
+        } catch(e) {
+            threwException = true;
+            if (!e instanceof exception)
+                throw new Error("Expected to throw: " + exception.name + " but it throws: " + e.name);
+        }
+
+        if (!threwException)
+            throw new Error("Expected to throw: " + exception.name + " but executed without exception");
+    }
+}
+
+class C {
+  #field = 'test';
+
+  setField(v) {
+      this.#field = v;
+  }
+}
+noInline(C.constructor);
+noInline(C.prototype.setField);
+
+let c = new C();
+
+// We repeat this to make operationPutPrivateNameOptimize repatch to operationPutPrivateNameGeneric
+for (let i = 0; i < 5; i++) {
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(15, 0);
+    });
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call('test', 0);
+    });
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(Symbol, 0);
+    });
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(null, 0);
+    });
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(undefined, 0);
+    });
+    assert.shouldThrow(TypeError, () => {
+        c.setField.call(10n, 0);
+    });
+}
+
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,43 @@
+2020-10-18  Caio Lima  <ticaiolima@gmail.com>
+
+        [ESNext][JIT] Add support for UntypedUse on PutPrivateName's base operand
+        https://bugs.webkit.org/show_bug.cgi?id=217373
+
+        Reviewed by Yusuke Suzuki.
+
+        This patch is adding UntypedUse for `PutPrivateName`'s base operand to
+        avoid a OSR when we have a non-cell base.
+        Also, it is fixing a bug on private field operations `get_private_name` and
+        `put_private_name` to call `ToObject` on base to properly support
+        class fields spec text[1][2].
+
+        [1] - https://tc39.es/proposal-class-fields/#sec-getvalue
+        [2] - https://tc39.es/proposal-class-fields/#sec-putvalue
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePutPrivateName):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compilePutPrivateName):
+        * jit/JITOperations.cpp:
+        (JSC::setPrivateField):
+        (JSC::definePrivateField):
+        (JSC::JSC_DEFINE_JIT_OPERATION):
+        (JSC::getPrivateName):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_private_name):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::emit_op_put_private_name):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/CommonSlowPaths.cpp:
+
+        Previous implementation was wrongly considering that base was always
+        an object, causing segmentation fault when base was not an object.
+        We changed this to handle cases when base is not and object, following
+        what spec text specifies.
+
 2020-10-17  Ross Kirsling  <ross.kirsling@sony.com>
 
         Unreviewed fix for r268640
diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
@@ -1907,7 +1907,6 @@ class FixupPhase : public Phase {
 
 
         case PutPrivateName: {
-            fixEdge<CellUse>(node->child1());
             fixEdge<SymbolUse>(node->child2());
             break;
         }
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -3526,19 +3526,20 @@ void SpeculativeJIT::compileGetByValWithThis(Node* node)
 
 void SpeculativeJIT::compilePutPrivateName(Node* node)
 {
-    SpeculateCellOperand base(this, node->child1());
+    ASSERT(node->child1().useKind() == UntypedUse);
+    JSValueOperand base(this, node->child1());
     SpeculateCellOperand propertyValue(this, node->child2());
     JSValueOperand value(this, node->child3());
 
     JSValueRegs valueRegs = value.jsValueRegs();
+    JSValueRegs baseRegs = base.jsValueRegs();
 
-    GPRReg baseGPR = base.gpr();
     GPRReg propertyGPR = propertyValue.gpr();
 
     speculateSymbol(node->child2(), propertyGPR);
 
     flushRegisters();
-    callOperation(operationPutPrivateNameGeneric, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), CCallHelpers::CellValue(baseGPR), CCallHelpers::CellValue(propertyGPR), valueRegs, TrustedImmPtr(nullptr), TrustedImm32(node->privateFieldPutKind().value()));
+    callOperation(operationPutPrivateNameGeneric, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, CCallHelpers::CellValue(propertyGPR), valueRegs, TrustedImmPtr(nullptr), TrustedImm32(node->privateFieldPutKind().value()));
     m_jit.exceptionCheck();
 
     noResult(node);
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
@@ -3971,10 +3971,10 @@ class LowerDFGToB3 {
 
     void compilePutPrivateName()
     {
-        DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == CellUse, m_node->child1().useKind());
+        DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse, m_node->child1().useKind());
         JSGlobalObject* globalObject = m_graph.globalObjectFor(m_node->origin.semantic);
 
-        LValue base = lowCell(m_node->child1());
+        LValue base = lowJSValue(m_node->child1());
         LValue property = lowSymbol(m_node->child2());
         LValue value = lowJSValue(m_node->child3());
 
diff --git a/Source/JavaScriptCore/jit/JITOperations.cpp b/Source/JavaScriptCore/jit/JITOperations.cpp
@@ -677,7 +677,8 @@ ALWAYS_INLINE static void setPrivateField(VM& vm, JSGlobalObject* globalObject,
     Identifier ident = Identifier::fromUid(vm, identifier.uid());
     ASSERT(ident.isPrivateName());
 
-    JSObject* baseObject = asObject(baseValue);
+    JSObject* baseObject = baseValue.toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, void());
     CodeBlock* codeBlock = callFrame->codeBlock();
     Structure* oldStructure = baseObject->structure(vm);
 
@@ -696,7 +697,8 @@ ALWAYS_INLINE static void definePrivateField(VM& vm, JSGlobalObject* globalObjec
     Identifier ident = Identifier::fromUid(vm, identifier.uid());
     ASSERT(ident.isPrivateName());
 
-    JSObject* baseObject = asObject(baseValue);
+    JSObject* baseObject = baseValue.toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, void());
     CodeBlock* codeBlock = callFrame->codeBlock();
     Structure* oldStructure = baseObject->structure(vm);
 
@@ -730,9 +732,10 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdDefinePrivateFieldStrictOptimize, void,
     CacheableIdentifier identifier = CacheableIdentifier::createFromRawBits(rawCacheableIdentifier);
     AccessType accessType = static_cast<AccessType>(stubInfo->accessType);
     JSValue value = JSValue::decode(encodedValue);
-    JSObject* baseObject = asObject(JSValue::decode(encodedBase));
-
-    definePrivateField(vm, globalObject, callFrame, baseObject, identifier, value, [=](VM& vm, CodeBlock* codeBlock, Structure* oldStructure, PutPropertySlot& putSlot, const Identifier& ident) {
+    JSValue baseValue = JSValue::decode(encodedBase);
+    
+    definePrivateField(vm, globalObject, callFrame, baseValue, identifier, value, [=](VM& vm, CodeBlock* codeBlock, Structure* oldStructure, PutPropertySlot& putSlot, const Identifier& ident) {
+        JSObject* baseObject = asObject(baseValue);
         LOG_IC((ICEvent::OperationPutByIdDefinePrivateFieldFieldStrictOptimize, baseObject->classInfo(vm), ident, putSlot.base() == baseObject));
 
         ASSERT_UNUSED(accessType, accessType == static_cast<AccessType>(stubInfo->accessType));
@@ -765,9 +768,10 @@ JSC_DEFINE_JIT_OPERATION(operationPutByIdSetPrivateFieldStrictOptimize, void, (J
     CacheableIdentifier identifier = CacheableIdentifier::createFromRawBits(rawCacheableIdentifier);
     AccessType accessType = static_cast<AccessType>(stubInfo->accessType);
     JSValue value = JSValue::decode(encodedValue);
-    JSObject* baseObject = asObject(JSValue::decode(encodedBase));
+    JSValue baseValue = JSValue::decode(encodedBase);
 
-    setPrivateField(vm, globalObject, callFrame, baseObject, identifier, value, [&](VM& vm, CodeBlock* codeBlock, Structure* oldStructure, PutPropertySlot& putSlot, const Identifier& ident) {
+    setPrivateField(vm, globalObject, callFrame, baseValue, identifier, value, [&](VM& vm, CodeBlock* codeBlock, Structure* oldStructure, PutPropertySlot& putSlot, const Identifier& ident) {
+        JSObject* baseObject = asObject(baseValue);
         LOG_IC((ICEvent::OperationPutByIdPutPrivateFieldFieldStrictOptimize, baseObject->classInfo(vm), ident, putSlot.base() == baseObject));
 
         ASSERT_UNUSED(accessType, accessType == static_cast<AccessType>(stubInfo->accessType));
@@ -1101,6 +1105,9 @@ JSC_DEFINE_JIT_OPERATION(operationPutPrivateNameOptimize, void, (JSGlobalObject*
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
 
+    auto baseObject = baseValue.toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, void());
+
     auto propertyName = subscript.toPropertyKey(globalObject);
     EXCEPTION_ASSERT(!scope.exception());
 
@@ -1149,7 +1156,6 @@ JSC_DEFINE_JIT_OPERATION(operationPutPrivateNameOptimize, void, (JSGlobalObject*
     // Private fields can only be accessed within class lexical scope
     // and class methods are always in strict mode
     const bool isStrictMode = true;
-    auto baseObject = asObject(baseValue);
     PutPropertySlot slot(baseObject, isStrictMode);
     if (putKind.isDefine())
         baseObject->definePrivateField(globalObject, propertyName, value, slot);
@@ -1170,6 +1176,9 @@ JSC_DEFINE_JIT_OPERATION(operationPutPrivateNameGeneric, void, (JSGlobalObject*
     JSValue subscript = JSValue::decode(encodedSubscript);
     JSValue value = JSValue::decode(encodedValue);
 
+    auto baseObject = baseValue.toObject(globalObject);
+    RETURN_IF_EXCEPTION(scope, void());
+
     auto propertyName = subscript.toPropertyKey(globalObject);
     EXCEPTION_ASSERT(!scope.exception());
 
@@ -1178,7 +1187,6 @@ JSC_DEFINE_JIT_OPERATION(operationPutPrivateNameGeneric, void, (JSGlobalObject*
     // Private fields can only be accessed within class lexical scope
     // and class methods are always in strict mode
     const bool isStrictMode = true;
-    auto baseObject = asObject(baseValue);
     PutPropertySlot slot(baseObject, isStrictMode);
     if (privateFieldPutKind.isDefine())
         baseObject->definePrivateField(globalObject, propertyName, value, slot);
@@ -2241,12 +2249,11 @@ ALWAYS_INLINE static JSValue getPrivateName(JSGlobalObject* globalObject, CallFr
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
 
-    baseValue.requireObjectCoercible(globalObject);
+    JSObject* base = baseValue.toObject(globalObject);
     RETURN_IF_EXCEPTION(scope, JSValue());
     auto fieldName = fieldNameValue.toPropertyKey(globalObject);
     RETURN_IF_EXCEPTION(scope, JSValue());
 
-    JSObject* base = baseValue.toObject(globalObject);
     PropertySlot slot(base, PropertySlot::InternalMethodType::GetOwnProperty);
     base->getPrivateField(globalObject, fieldName, slot);
     RETURN_IF_EXCEPTION(scope, JSValue());
diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
@@ -380,6 +380,8 @@ void JIT::emit_op_put_private_name(const Instruction* currentInstruction)
     emitGetVirtualRegister(base, regT0);
     emitGetVirtualRegister(property, regT1);
 
+    emitJumpSlowCaseIfNotJSCell(regT0, base);
+
     PatchableJump fastPathJmp = patchableJump();
     addSlowCase(fastPathJmp);
     
diff --git a/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp b/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp
@@ -340,6 +340,7 @@ void JIT::emit_op_put_private_name(const Instruction* currentInstruction)
 
     emitLoad2(base, regT1, regT0, property, regT3, regT2);
 
+    emitJumpSlowCaseIfNotJSCell(base, regT1);
     PatchableJump fastPathJmp = patchableJump();
     addSlowCase(fastPathJmp);
 
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
diff --git a/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp b/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

Original file line number	Diff line number	Diff line change
`@@ -1907,7 +1907,6 @@ class FixupPhase : public Phase {`
`1907`	`1907`
`1908`	`1908`
`1909`	`1909`	`case PutPrivateName: {`
`1910`		`- fixEdge<CellUse>(node->child1());`
`1911`	`1910`	`fixEdge<SymbolUse>(node->child2());`
`1912`	`1911`	`break;`
`1913`	`1912`	`}`