[webkit-changes] [WebKit/WebKit] f181ac: [JSC] `Array.prototype.join` skips prototype eleme...

Sat, 30 May 2026 02:11:20 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: f181acea44641a3c7ebfc1181b0deaf049466d62
      
https://github.com/WebKit/WebKit/commit/f181acea44641a3c7ebfc1181b0deaf049466d62
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-05-30 (Sat, 30 May 2026)

  Changed paths:
    A JSTests/stress/array-join-tostring-adds-indexed-prototype-property.js
    M Source/JavaScriptCore/runtime/ArrayPrototypeInlines.h

  Log Message:
  -----------
  [JSC] `Array.prototype.join` skips prototype element added during element 
toString
https://bugs.webkit.org/show_bug.cgi?id=315653

Reviewed by Yusuke Suzuki.

fastArrayJoin caches whether holes can be treated as empty strings in
holesKnownToBeOK so that it only checks holesMustForwardToPrototype once.
However, in the contiguous case, JSStringJoiner::append can run arbitrary
user code (e.g. an element's toString), which may add indexed properties
to the prototype chain. Since holesKnownToBeOK was not invalidated, holes
visited after such a side effect were still appended as empty strings
instead of forwarding to the prototype.

This is a regression from 296180@main, which started calling
JSStringJoiner::append in the contiguous fast path and continuing the
loop when the butterfly and length are unchanged. Before that, the fast
path bailed out to the general case via appendWithoutSideEffects before
running any user code, so holesKnownToBeOK could never become stale.

This change resets holesKnownToBeOK whenever append reports that it may
have executed user code, so the next hole re-checks
holesMustForwardToPrototype and falls back to the general case if needed.

Test: JSTests/stress/array-join-tostring-adds-indexed-prototype-property.js

* JSTests/stress/array-join-tostring-adds-indexed-prototype-property.js: Added.
(shouldBe):
(throw.new.Error):
(const.obj.toString):
* Source/JavaScriptCore/runtime/ArrayPrototypeInlines.h:
(JSC::fastArrayJoin):

Canonical link: https://commits.webkit.org/314210@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to