[GR-44414] Fix Nashorn test failing in shared-engine mode.

Author: woess

graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/PropertyCacheNode.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -82,6 +82,7 @@
 import com.oracle.truffle.js.runtime.objects.JSObject;
 import com.oracle.truffle.js.runtime.objects.JSProperty;
 import com.oracle.truffle.js.runtime.objects.JSShape;
+import com.oracle.truffle.js.runtime.objects.Null;
 import com.oracle.truffle.js.runtime.objects.Undefined;
 import com.oracle.truffle.js.runtime.util.DebugCounter;
 
@@ -519,6 +520,8 @@ public TraversePrototypeChainShapeCheckNode(Shape shape, JSDynamicObject thisObj
                 protoShapes[i] = depthShape;
                 getPrototypeNodes[i] = GetPrototypeNode.create();
             }
+
+            traversePrototypeChainShapeCheckCount.inc();
         }
 
         @ExplodeLoop
@@ -592,6 +595,8 @@ public TraversePrototypeShapeCheckNode(Shape shape, JSDynamicObject thisObj) {
             super(shape);
             this.protoShape = JSObject.getPrototype(thisObj).getShape();
             this.getPrototypeNode = GetPrototypeNode.create();
+
+            traversePrototypeShapeCheckCount.inc();
         }
 
         @Override
@@ -977,14 +982,14 @@ protected T createSpecialization(Object thisObj, T currentHead, int cachedCount,
         T specialized = null;
 
         JSDynamicObject store = null;
-        if (JSDynamicObject.isJSDynamicObject(thisObj)) {
+        if (JSObject.isJSObject(thisObj)) {
             if ((!JSAdapter.isJSAdapter(thisObj) && !JSProxy.isJSProxy(thisObj)) || key instanceof HiddenKey) {
                 store = (JSDynamicObject) thisObj;
             }
         } else if (JSRuntime.isForeignObject(thisObj)) {
             assert !JSDynamicObject.isJSDynamicObject(thisObj);
             specialized = createTruffleObjectPropertyNode();
-        } else {
+        } else if (!JSRuntime.isNullOrUndefined(thisObj)) {
             store = wrapPrimitive(thisObj);
         }
 
@@ -1035,11 +1040,18 @@ protected T createSpecialization(Object thisObj, T currentHead, int cachedCount,
             }
 
             store = (JSDynamicObject) JSRuntime.toJavaNull(JSObject.getPrototype(store));
-            if (store != null) {
-                depth++;
-            }
+            depth++;
         }
 
+        // <depth>: number of prototypes to check to validate the property access.
+        // If isOwnProperty(), or <thisObj> is a proxy or nullish value, depth is always 0.
+        // If the property is present, <depth> points to the object that has the property:
+        // e.g. depth == 1 for obj0:{a} -> proto1:{b} -> proto2:{c} -> null, with key "b".
+        // If there's a proxy in the prototype chain, we always stop counting there:
+        // e.g. depth == 1 for obj0 -> proxy1 -> proto2 -> null.
+        // If the property is absent, <depth> includes the final null prototype:
+        // e.g. depth == 3 for obj0 -> proto1 -> proto2 -> null.
+
         if (specialized == null) {
             specialized = createUndefinedPropertyNode(thisObj, thisObj, depth, value);
         }
@@ -1239,8 +1251,6 @@ protected static final JSDynamicObject wrapPrimitive(Object thisObject) {
     protected final AbstractShapeCheckNode createShapeCheckNode(Shape shape, JSDynamicObject thisObj, int depth, boolean isConstantObjectFinal, boolean isDefine) {
         if (depth == 0) {
             return createShapeCheckNodeDepth0(shape, thisObj, isConstantObjectFinal, isDefine);
-        } else if (depth == 1) {
-            return createShapeCheckNodeDepth1(shape, thisObj, depth, isConstantObjectFinal);
         } else {
             return createShapeCheckNodeDeeper(shape, thisObj, depth, isConstantObjectFinal);
         }
@@ -1257,41 +1267,71 @@ private AbstractShapeCheckNode createShapeCheckNodeDepth0(Shape shape, JSDynamic
         }
     }
 
-    private AbstractShapeCheckNode createShapeCheckNodeDepth1(Shape shape, JSDynamicObject thisObj, int depth, boolean isConstantObjectFinal) {
-        assert depth == 1;
-        if (JSConfig.SkipPrototypeShapeCheck && prototypesInShape(thisObj, depth) && propertyAssumptionsValid(thisObj, depth, isConstantObjectFinal)) {
-            return isConstantObjectFinal
-                            ? ConstantObjectPrototypeChainShapeCheckNode.create(shape, thisObj, key, depth, getContext())
-                            : PrototypeShapeCheckNode.create(shape, thisObj, key, depth, getContext());
+    private AbstractShapeCheckNode createShapeCheckNodeDeeper(Shape shape, JSDynamicObject thisObj, int depth, boolean isConstantObjectFinal) {
+        assert depth >= 1;
+        JSDynamicObject protoAtDepth = getPrototypeAtDepth(thisObj, depth);
+        boolean allPrototypesInShape = prototypesInShape(thisObj, 0, depth);
+        if (JSConfig.SkipPrototypeShapeCheck && allPrototypesInShape && propertyAssumptionsValid(thisObj, depth, isConstantObjectFinal)) {
+            if (isConstantObjectFinal) {
+                return ConstantObjectPrototypeChainShapeCheckNode.create(shape, thisObj, key, depth, getContext());
+            } else if (depth == 1) {
+                return PrototypeShapeCheckNode.create(shape, thisObj, key, depth, getContext());
+            } else {
+                return PrototypeChainShapeCheckNode.create(shape, thisObj, key, depth, getContext());
+            }
         } else {
-            traversePrototypeShapeCheckCount.inc();
-            return new TraversePrototypeShapeCheckNode(shape, thisObj);
+            /*
+             * If we're checking that a property is absent, we must check all the way down including
+             * the final null prototype, so as to not miss any prototype change.
+             *
+             * However, the last prototype link to null is typically from either Object.prototype
+             * (an immutable prototype exotic object) or another object with a constant-prototype
+             * shape, in which case we can skip the final prototype == null check, since setting a
+             * different prototype is either not allowed or would result in a shape change, and
+             * we're already checking the shape of that last prototype object anyway.
+             */
+            int checkedDepth = depth;
+            if (protoAtDepth == Null.instance && (allPrototypesInShape || prototypesInShape(thisObj, depth - 1, depth))) {
+                checkedDepth--;
+            }
+            return createTraversePrototypeShapeCheck(shape, thisObj, checkedDepth);
         }
     }
 
-    private AbstractShapeCheckNode createShapeCheckNodeDeeper(Shape shape, JSDynamicObject thisObj, int depth, boolean isConstantObjectFinal) {
-        assert depth > 1;
-        if (JSConfig.SkipPrototypeShapeCheck && prototypesInShape(thisObj, depth) && propertyAssumptionsValid(thisObj, depth, isConstantObjectFinal)) {
-            return isConstantObjectFinal
-                            ? ConstantObjectPrototypeChainShapeCheckNode.create(shape, thisObj, key, depth, getContext())
-                            : PrototypeChainShapeCheckNode.create(shape, thisObj, key, depth, getContext());
-        } else {
-            traversePrototypeChainShapeCheckCount.inc();
-            return new TraversePrototypeChainShapeCheckNode(shape, thisObj, depth);
+    private static AbstractShapeCheckNode createTraversePrototypeShapeCheck(Shape shape, JSDynamicObject thisObj, int depth) {
+        if (depth == 0) {
+            return new ShapeCheckNode(shape);
+        } else if (depth == 1) {
+            return new TraversePrototypeShapeCheckNode(shape, thisObj);
         }
+        return new TraversePrototypeChainShapeCheckNode(shape, thisObj, depth);
     }
 
-    protected static boolean prototypesInShape(JSDynamicObject thisObj, int depth) {
+    protected static boolean prototypesInShape(JSDynamicObject thisObj, int start, int end) {
         JSDynamicObject depthObject = thisObj;
-        for (int i = 0; i < depth; i++) {
-            if (!JSShape.isPrototypeInShape(depthObject.getShape())) {
+        for (int i = 0; i < end; i++) {
+            assert depthObject != Null.instance && !JSProxy.isJSProxy(depthObject) : depthObject;
+            if (i >= start && !JSShape.isPrototypeInShape(depthObject.getShape())) {
                 return false;
             }
+            if (i + 1 >= end) {
+                // no need to get the prototype if we're about to exit the loop
+                break;
+            }
             depthObject = JSObject.getPrototype(depthObject);
         }
         return true;
     }
 
+    protected static JSDynamicObject getPrototypeAtDepth(JSDynamicObject thisObj, int depth) {
+        JSDynamicObject depthObject = thisObj;
+        for (int i = 0; i < depth; i++) {
+            assert depthObject != Null.instance && !JSProxy.isJSProxy(depthObject) : depthObject;
+            depthObject = JSObject.getPrototype(depthObject);
+        }
+        return depthObject;
+    }
+
     protected final boolean propertyAssumptionsValid(JSDynamicObject thisObj, int depth, boolean checkDepth0) {
         if (!getContext().isSingleRealm()) {
             return false;
@@ -1302,12 +1342,13 @@ protected final boolean propertyAssumptionsValid(JSDynamicObject thisObj, int de
             return false;
         }
         for (int i = 0; i < depth; i++) {
+            assert depthObject != Null.instance;
             if ((depth != 0 || checkDepth0) && !JSShape.getPrototypeAssumption(depthShape).isValid()) {
                 return false;
             }
             depthObject = JSObject.getPrototype(depthObject);
             depthShape = depthObject.getShape();
-            if (!JSShape.getPropertyAssumption(depthShape, key, true).isValid()) {
+            if (depthObject != Null.instance && !JSShape.getPropertyAssumption(depthShape, key, true).isValid()) {
                 return false;
             }
         }
@@ -1321,10 +1362,16 @@ protected final ReceiverCheckNode createPrimitiveReceiverCheck(Object thisObj, i
         } else {
             assert JSRuntime.isJSPrimitive(thisObj) || thisObj instanceof Long;
             JSDynamicObject wrapped = wrapPrimitive(thisObj);
-            if (JSConfig.SkipPrototypeShapeCheck && prototypesInShape(wrapped, depth) && propertyAssumptionsValid(wrapped, depth, false)) {
+            JSDynamicObject protoAtDepth = getPrototypeAtDepth(wrapped, depth);
+            boolean allPrototypesInShape = prototypesInShape(wrapped, 0, depth);
+            if (JSConfig.SkipPrototypeShapeCheck && allPrototypesInShape && propertyAssumptionsValid(wrapped, depth, false)) {
                 return ValuePrototypeChainCheckNode.create(valueClass, wrapped.getShape(), wrapped, key, depth, context);
             } else {
-                return new TraverseValuePrototypeChainCheckNode(valueClass, wrapped.getShape(), wrapped, depth, JSObject.getJSClass(wrapped));
+                int checkedDepth = depth;
+                if (protoAtDepth == Null.instance && (allPrototypesInShape || prototypesInShape(wrapped, depth - 1, depth))) {
+                    checkedDepth--;
+                }
+                return new TraverseValuePrototypeChainCheckNode(valueClass, wrapped.getShape(), wrapped, checkedDepth, JSObject.getJSClass(wrapped));
             }
         }
     }

graal-js/src/com.oracle.truffle.js/src/com/oracle/truffle/js/nodes/access/PropertyGetNode.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * The Universal Permissive License (UPL), Version 1.0
@@ -1924,7 +1924,7 @@ private boolean isEligibleForFinalSpecialization(Shape cacheShape, JSDynamicObje
         if (depth == 0) {
             return (JSConfig.SkipFinalShapeCheck && isPropertyAssumptionCheckEnabled() && JSShape.getPropertyAssumption(cacheShape, key).isValid());
         } else {
-            return (prototypesInShape(thisObj, depth) && propertyAssumptionsValid(thisObj, depth, isConstantObjectFinal));
+            return (prototypesInShape(thisObj, 0, depth) && propertyAssumptionsValid(thisObj, depth, isConstantObjectFinal));
         }
     }
 

graal-js/test/testNashorn.json

@@ -481,13 +481,6 @@
   }, {
     "filePath" : "basic/JDK-8133119.js",
     "status" : "FAIL"
-  }, {
-    "filePath" : "basic/JDK-8134569.js",
-    "status" : "PASS",
-    "statusOverrides" : {
-      "SHARED_ENGINE" : "FAIL"
-    },
-    "comment" : "Currently failing in shared-engine mode (GR-44414)"
   }, {
     "filePath" : "basic/JDK-8134609.js",
     "status" : "FAIL"