From 57370704bffa6958a2f9b5531494e6931b25fc15 Mon Sep 17 00:00:00 2001
From: Alexey Shvayka <ashvayka@apple.com>
Date: Fri, 4 Aug 2023 08:37:09 -0700
Subject: [PATCH] 
 PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() should take
 non-reified static properties into account
 https://bugs.webkit.org/show_bug.cgi?id=255952 <rdar://108334411>

Reviewed by Yusuke Suzuki.

Currently, PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() is not checking the
structure's non-reified static properties against the condition. This can lead to incorrect analysis
of side effects: AbsenceOfSetEffect condition with a non-reified static setter is considered pure
even though a setter with arbitrary code can be invoked.

This patch fixes AbsenceOfSetEffect validity check for structures with non-reified static properties
while takes extra care to make the fix as precise as possible to avoid unnecessary slowdowns.

* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt: Added.
* LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html: Added.
* Source/JavaScriptCore/bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):

Originally-landed-as: 259548.775@safari-7615-branch (ffe32d106cb2). rdar://113160398
Canonical link: https://commits.webkit.org/266582@main
---
 ...fied-event-isTrusted-ic-crash-expected.txt |  9 ++
 .../non-reified-event-isTrusted-ic-crash.html | 94 +++++++++++++++++++
 .../bytecode/PropertyCondition.cpp            |  8 ++
 3 files changed, 111 insertions(+)
 create mode 100644 LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
 create mode 100644 LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html

diff --git a/LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt b/LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
new file mode 100644
index 0000000000000..eb3bffc3bbeb9
--- /dev/null
+++ b/LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash-expected.txt
@@ -0,0 +1,9 @@
+No crash when property 'x' is assigned
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html b/LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
new file mode 100644
index 0000000000000..b4b996d81be21
--- /dev/null
+++ b/LayoutTests/fast/dom/non-reified-event-isTrusted-ic-crash.html
@@ -0,0 +1,94 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src="../../resources/js-test.js"></script>
+<script>
+description("No crash when property 'x' is assigned");
+
+// This structure has a non-reified static property "isTrusted".
+const EVENT = new Event('a');
+
+
+function opt(use_event, proxy) {
+    let tmp = Object.create(null);
+    if (use_event)
+        tmp = Object.create(EVENT);
+
+    tmp.isTrusted = 1;  // Here the compiler expects that it'll transition but at runtime it'll fail due to the setter from EVENT.
+
+    tmp.a0 = 0x1111;
+    tmp.a1 = 0x2222;
+    tmp.a2 = 0x3333;
+    tmp.a3 = 0x4444;
+    tmp.a4 = 0x5555;
+    tmp.a5 = 0x6666;
+    
+    proxy.set_getter_on = tmp;
+
+    const value = tmp.a5;
+
+    return value;
+}
+
+
+function initialize() {
+    {
+        const object = Object.create(EVENT);
+        Object.defineProperty(object, 'isTrusted', {value: 1, writable: true, enumerable: true, configurable: true});
+
+        object.a0 = 1;
+        object.a1 = 1;
+        object.a2 = 1;
+        object.a3 = 1;
+        object.a4 = 1;
+        object.a5 = 1;
+    }
+
+    {
+        const object = Object.create(EVENT);
+
+        object.a0 = 1;
+        object.a1 = 1;
+        object.a2 = 1;
+        object.a3 = 1;
+        object.a4 = 1;
+        object.a5 = 1;
+    }
+}
+
+
+function main() {
+    const proxy = new Proxy({}, {
+        set: (object, property, value) => {
+            const tmp = {};
+            tmp[26] = 2.3023e-320;
+            value[26] = 1.1;
+
+            return true;
+        }
+    });
+
+    initialize();
+
+    for (let i = 0; i < 1000; i++) {
+        opt(/* use_event */ false, /* proxy */ 1.1);
+        opt(/* use_event */ true, /* proxy */ 1.1);
+    }
+    
+    if (window.testRunner)
+        testRunner.waitUntilDone();
+
+    setTimeout(() => {
+        const value = opt(/* use_event */ true, proxy);
+
+        // Should crash here.
+        value.x = 1234;
+
+        if (window.testRunner)
+            testRunner.notifyDone();
+    }, 100);
+}
+
+main();
+
+</script>
diff --git a/Source/JavaScriptCore/bytecode/PropertyCondition.cpp b/Source/JavaScriptCore/bytecode/PropertyCondition.cpp
index 028a54299f323..c8fba85099ae1 100644
--- a/Source/JavaScriptCore/bytecode/PropertyCondition.cpp
+++ b/Source/JavaScriptCore/bytecode/PropertyCondition.cpp
@@ -205,6 +205,14 @@ bool PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint(
             if (PropertyConditionInternal::verbose)
                 dataLog("Invalid because its put() override may treat ", uid(), " property as read-only.\n");
             return false;
+        } else if (structure->hasNonReifiedStaticProperties()) {
+            if (auto entry = structure->findPropertyHashEntry(uid())) {
+                if (entry->value->attributes() & (PropertyAttribute::ReadOnlyOrAccessorOrCustomAccessor | PropertyAttribute::CustomValue)) {
+                    if (PropertyConditionInternal::verbose)
+                        dataLog("Invalid because we expected not to have a setter, but we have one in non-reified static property table: ", uid(), ".\n");
+                    return false;
+                }
+            }
         }
 
         if (structure->hasPolyProto()) {