Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5551d9ec0813336b0daeedee986b101162d2d442
https://github.com/WebKit/WebKit/commit/5551d9ec0813336b0daeedee986b101162d2d442
Author: Mark Lam <mark....@apple.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayConstructor.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
Log Message:
-----------
JSTests/stress/array-isarray-error-message.js fails when run with --useJIT=0.
https://bugs.webkit.org/show_bug.cgi?id=247480
<rdar://problem/101942000>
Reviewed by Yusuke Suzuki.
isArraySlowInline() was checking if a function is Object.prototype.toString by
testing for
function->intrinsic() == ObjectToStringIntrinsic. However, this only works
when the JIT is enabled.
When the JIT is disabled, function->intrinsic() is always NoIntrinsic.
The fix is to test function against globalObject->m_objectProtoToStringFunction
instead. However,
globalObject->m_objectProtoToStringFunction is a LazyProperty. We don't want
this check to trigger
the initialization of that LazyProperty, nor do we need to. Simply testing
against its pointer value
is sufficient. The only way the function can be Object.prototype.toString is
if that LazyProperty
has already been initialized. If it's not initialized yet, then function
cannot be
Object.prototype.toString. To enable this test, we'll introduce
JSGlobal::objectProtoToStringFunctionConcurrently().
This issue was discovered by running the
JSTests/stress/array-isarray-error-message.js test with the
JIT disabled.
* Source/JavaScriptCore/runtime/ArrayConstructor.cpp:
(JSC::isArraySlowInline):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::objectProtoToStringFunctionConcurrently const):
Canonical link: https://commits.webkit.org/256314@main
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
