Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 3876c27e9c0141b04e33915c34500235bd4fb8a6
https://github.com/WebKit/WebKit/commit/3876c27e9c0141b04e33915c34500235bd4fb8a6
Author: Kai Tamkun <[email protected]>
Date: 2026-05-11 (Mon, 11 May 2026)
Changed paths:
A JSTests/stress/set-spread-after-setPrototypeOf.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Set spread in DFG/FTL missing per-instance prototype check
https://bugs.webkit.org/show_bug.cgi?id=312685
rdar://175083041
Reviewed by Yusuke Suzuki.
This patch adds code to DFG & FTL to detect whether a Set to be spread
has had its prototype or structure changed and take the slow path if so.
The check is skipped if the structure is already known to be valid.
Thanks to Junyoung Park (@candymate) of KAIST Hacking Lab for the fix.
Test: JSTests/stress/set-spread-after-setPrototypeOf.js
* JSTests/stress/set-spread-after-setPrototypeOf.js: Added.
(spreadSet):
(catch):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileSpread):
Canonical link: https://commits.webkit.org/313031@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
