• mhahnenberg@apple.com's avatar
    tryCacheGetByID sets StructureStubInfo accessType to an incorrect value · d0be74de
    mhahnenberg@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=114068
    
    Reviewed by Geoffrey Garen.
    
    In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to 
    get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to 
    incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, 
    which leads to loading a GetterSetter directly out of an object.
    
    Source/JavaScriptCore: 
    
    * jit/JITStubs.cpp:
    (JSC::tryCacheGetByID):
    (JSC::DEFINE_STUB_FUNCTION):
    
    LayoutTests: 
    
    * fast/js/jit-set-profiling-access-type-only-for-get-by-id-self-expected.txt: Added.
    * fast/js/jit-set-profiling-access-type-only-for-get-by-id-self.html: Added.
    * fast/js/script-tests/jit-set-profiling-access-type-only-for-get-by-id-self.js: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@147816 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    d0be74de
JITStubs.cpp 125 KB