Fix Issue#3064/#3423: Cache conflicts in super property access

[suwc]

Accesses to super properties are cached on 'this' object (vs. the
"super" object), causing conflict between e.g. super.x and this.x.
Similar conflicts cause Issue#3423 for GetProperty cases.
Fix by adding 'isSuper' flag to use appropriate object for caching.

Fixes #3064, Fixes #3423

[suwc]

Addresses #3064

[suwc]

@Microsoft/chakra-developers @Microsoft/chakra-es please review. Thanks!

[curtisman]

Huh? prototypeObjectWithProperty should never be the propertyObject itself. Otherwise, we will not hit the "proto" inline cache and have prototypeObjectWithProperty not null. There is probably something else wrong.

[pleath]

@suwc , as we discussed, I think we're probably abusing the cache on a byte code level. I'll make some time to investigate today. If that's the case, then we want to fix the code gen rather than working around it in the cache logic.

[suwc]

The TypePropertyCache can be populated in multiple occasions. In this repro case, calls to “super.x” go through these lines in GetProperty_Internal():

 PropertyValueInfo::Set(info, requestContext->GetLibrary()->GetMissingPropertyHolder(), 0); CacheOperators::CachePropertyRead(instance, requestContext->GetLibrary()->GetMissingPropertyHolder(), isRoot, propertyId, true, info, requestContext); 

Now that the cache is populated with requestContext->GetLibrary()->GetMissingPropertyHolder() as “prototypeObjectWithProperty”, next call to “this.x” (having same “instance”) will be a cache hit (with prototypeObjectWithProperty != nullptr), whereas it should be a cache miss + update.

---

In reply to: 127714797 [](ancestors = 127714797)

[pleath]

Yes, as I thought, the byte code gen for super.x is misusing the inline caches. So let's apply a fix there rather than in the cache logic. We can discuss offline.

[suwc]

@dotnet-bot test Ubuntu _no_jit_shared_ubuntu_linux_test

[curtisman]

I think this should always be propertyObject......

[suwc]

@curtisman I don't have an example where caching on instance is more appropriate when propertyObject != instance. When a super property ("super.x") exists in super object's prototype (vs. the super object itself), it is distinguished by object != prototypeObject. It would be simpler if we can go without 'isSuper'.

@pleath am I missing something?

[curtisman]

You should be able to find all the cases that caching on the instance is wrong and create test cases for them

[pleath]

If we can prove that there's no case where propertyObject != instance, and where we want to cache based on instance, or where the fact that propertyObject !=instance is our indication that we have a prototype access, then going without isSuper seems fine. The only case I can think of is where instance is a tagged number, and in that case it seems fine to cache as a local access to Number.prototype (which will be propertyObject, right?).

[pleath]

(All of which means that the logic we've had since IE9 is subtly wrong, but in a way that never mattered until super was implemented. That may be true, but it would be nice to prove it.)

[suwc]

Besides super property access, other cases where propertyObject != instance are following:

1. instance is proxy, propertyObject is target object
2. instance is number, propertyObject is Number.prototype
3. instance is boolean, propertyObject is Boolean.prototype

By design, 1) does not cache property access (confirmed) because underlying target object can mutate without proxy knowing it.

2. and 3) are justified to cache on their prototype (propertyObject).

---

In reply to: 130143456 [](ancestors = 130143456)

[akroshg]

so what is a state on this PR?

[pleath]

A simpler fix along the lines of what Curtis suggests seems possible, but we want to do some work to confirm that.

[suwc]

Besides super property access, other cases where propertyObject != instance are following:

1. instance is proxy, propertyObject is target object
2. instance is number, propertyObject is Number.prototype
3. instance is boolean, propertyObject is Boolean.prototype

By design, 1) does not cache property access (confirmed) because underlying target object can mutate without proxy knowing it.

2. and 3) are justified to cache on their prototype (propertyObject).

[pleath]

Yes, I would prefer to profile LdSuperFld. It seems best to let it participate in this optimization. If there's a reason we can't do that, I'd prefer to use some kind of general check on the opcode attributes rather than special-casing for this opcode. #Pending

[pleath]

Curious...is there a reason for the name change? I kind of like the generic name better than one that suggests this is only for super. But I could be convinced. #Resolved

[suwc]

This is just a wrapper. I renamed the generic version to "PatchGetValueHelper" and hid it from JIT, in order to have (current and future) flexibility of adding, changing, or removing a parameter without JIT impact. Same goes for other helper functions. JIT doesn't need to deal with these.

---

In reply to: 132067176 [](ancestors = 132067176)

[pleath]

Well, the JIT isn't really a factor. I'm just wondering why we wouldn't go with a generic name -- or, specifically, why we would change from using a generic name to using a less portable one. Can we revert this?

[pleath]

Again, I generally prefer a generic name. #Pending

[suwc]

Although this so far is used only for super, I can see a point for leaving it in a generic name here. I will revert it to the old name.

---

In reply to: 132067519 [](ancestors = 132067519)

[suwc]

@pleath, latest iteration made LdSuperFld & StSuperFld ProfiledInstr. Also reverted name changes in bytecode emitter to remain generic.

[pleath]

Ditto for these name changes. The existing names are preferable, IMO, because they describe what the method does and don't create the impression that the methods are necessarily limited to one opcode.

[suwc]

@pleath, I reverted the name change. Thanks!

[pleath]

Awesome. Thanks. That leaves us with a nice, simple-looking change.