-
rniwa@webkit.org authored
https://bugs.webkit.org/show_bug.cgi?id=125377 Reviewed by Filip Pizlo. PerformanceTests: Added a micro-benchmark for updating a named property on document. * Bindings/update-name-getter.html: Added. * Skipped: Source/JavaScriptCore: The bug was caused by JSC not JIT'ing property access on "document" due to its type info having HasImpureGetOwnPropertySlot flag. Fixed the bug by new type info flag NewImpurePropertyFiresWatchpoints, which allows the baseline JIT to generate byte code for access properties on an object with named properties (a.k.a. custom name getter) in DOM. When a new named property appears on the object, VM is notified via VM::addImpureProperty and fires StructureStubClearingWatchpoint added during the repatch. * bytecode/GetByIdStatus.cpp: (JSC::GetByIdStatus::computeFromLLInt): Take the slow path if we have any object with impure properties in the prototype chain. (JSC::GetByIdStatus::computeForChain): Ditto. * jit/Repatch.cpp...
1293295f