Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 58336b9e2fcd6c2c769c4226ba8cd94474da9009
https://github.com/WebKit/WebKit/commit/58336b9e2fcd6c2c769c4226ba8cd94474da9009
Author: Sosuke Suzuki <[email protected]>
Date: 2026-03-08 (Sun, 08 Mar 2026)
Changed paths:
A JSTests/stress/array-flat-cross-realm-array-prototype.js
A JSTests/stress/array-flat-depth-zero-revoked-proxy.js
M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
M Source/JavaScriptCore/runtime/JSArray.cpp
Log Message:
-----------
[JSC] Array#flat should skip IsArray at depth 0 and bail fast path for
DerivedArrayType
https://bugs.webkit.org/show_bug.cgi?id=309396
Reviewed by Yusuke Suzuki.
Two spec bugs were introduced in 546d47afe6:
1. flat(0) with a revoked Proxy element throws TypeError.
FlattenIntoArray step 5.c.iv requires IsArray only when depth > 0.
Short-circuit the check so isArray() is not called at depth 0.
2. fastFlat fails to flatten a cross-realm Array.prototype.
isJSArray() checks ArrayType only, but Array.prototype has
DerivedArrayType. Bail to the slow path for DerivedArrayType,
matching the existing concat fast path check.
Tests: JSTests/stress/array-flat-cross-realm-array-prototype.js
JSTests/stress/array-flat-depth-zero-revoked-proxy.js
* JSTests/stress/array-flat-cross-realm-array-prototype.js: Added.
(shouldBe):
* JSTests/stress/array-flat-depth-zero-revoked-proxy.js: Added.
(shouldBe):
(shouldBe.get let):
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::flatIntoArray):
* Source/JavaScriptCore/runtime/JSArray.cpp:
(JSC::calculateFlattenedLength):
Canonical link: https://commits.webkit.org/308887@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
