Skip to content
Find file Blame History Permalink
  • rniwa@webkit.org's avatar
    REGRESSION: 2x regression on Dromaeo DOM query tests · 1293295f
    rniwa@webkit.org authored 
    https://bugs.webkit.org/show_bug.cgi?id=125377

Reviewed by Filip Pizlo.

PerformanceTests:

Added a micro-benchmark for updating a named property on document.

* Bindings/update-name-getter.html: Added.
* Skipped:

Source/JavaScriptCore:

The bug was caused by JSC not JIT'ing property access on "document" due to its type info having
HasImpureGetOwnPropertySlot flag.

Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline
JIT to generate byte code for access properties on an object with named properties (a.k.a.
custom name getter) in DOM. When a new named property appears on the object, VM is notified via
VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch.

* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure
properties in the prototype chain.
(JSC::GetByIdStatus::computeForChain): Ditto.

* jit/Repatch.cpp...
    1293295f