Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9b1a02808762de105ee583bfe81c8535d498bfe7
https://github.com/WebKit/WebKit/commit/9b1a02808762de105ee583bfe81c8535d498bfe7
Author: Shu-yu Guo <[email protected]>
Date: 2026-04-21 (Tue, 21 Apr 2026)
Changed paths:
A JSTests/stress/megamorphic-cache-super-property.js
M Source/JavaScriptCore/jit/JITOperations.cpp
Log Message:
-----------
[JSC] Fix megamorphic IC ownProperty check
https://bugs.webkit.org/show_bug.cgi?id=312681
rdar://175079685
Reviewed by Yusuke Suzuki.
309095@main introduced a bug where megamorphic ICs' ownProperty check was
changed from `slot.slotBase() == baseObject` to `slot.slotBase() == thisValue`.
This broke the IC for super property access and this PR fixes that by checking
against baseValue.
Note that for the String optimization from 309095@main, checking == baseObject
(i.e. reverting the == thisValue change) is incorrect. The intention is to make
the megamorphic IC load properties directly from String.prototype. baseObject
in the String case *is* String.prototype, so == baseObject would mark it as an
ownProperty, meaning the megamorphic IC would not go down the fast path of
loading directly from the prototype. baseValue, in contrast, is the String
itself.
Test: JSTests/stress/megamorphic-cache-super-property.js
* JSTests/stress/megamorphic-cache-super-property.js: Added.
(makeProtoObject):
(readProp):
(Base.prototype.readSuper):
(Base):
* Source/JavaScriptCore/jit/JITOperations.cpp:
(JSC::getByIdMegamorphic):
Canonical link: https://commits.webkit.org/311692@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
