[webkit-changes] [WebKit/WebKit] 66b613: [JSC] `matchAll` fast path should not skip `Specie...

Tue, 02 Jun 2026 03:53:26 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 66b61320dbd7f563dc08e6c83ed9c78bd7be69ef
      
https://github.com/WebKit/WebKit/commit/66b61320dbd7f563dc08e6c83ed9c78bd7be69ef
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-02 (Tue, 02 Jun 2026)

  Changed paths:
    A JSTests/stress/string-prototype-matchall-species-constructor.js
    M Source/JavaScriptCore/runtime/RegExpObjectInlines.h

  Log Message:
  -----------
  [JSC] `matchAll` fast path should not skip `SpeciesConstructor` when RegExp 
species watchpoint is invalidated
https://bugs.webkit.org/show_bug.cgi?id=316047

Reviewed by Yusuke Suzuki.

RegExp.prototype[@@matchAll] is required to call SpeciesConstructor(R, 
%RegExp%),
which reads R.constructor (and C[@@species]) observably. However,
RegExpObject::isSymbolMatchAllFastAndNonObservable() only checked
regExpPrimordialPropertiesWatchpointSet and stringSymbolMatchAllWatchpointSet,
and did not check regExpSpeciesWatchpointSet, unlike the neighboring
isSymbolSplitFastAndNonObservable(). As a result, after replacing
RegExp.prototype.constructor, the C++ fast paths for String.prototype.matchAll
and RegExp.prototype[@@matchAll] kept ignoring the override: a custom species
constructor was never invoked, and a non-object constructor did not throw the
spec-required TypeError.

    RegExp.prototype.constructor = 5;
    "x".matchAll(/y/g); // Should throw TypeError, but did not.

This patch adds the missing regExpSpeciesWatchpointSet check to the predicate,
following the precedent of isSymbolSplitFastAndNonObservable(). This guards all
fast-path call sites: stringProtoFuncMatchAll, stringMatchAllSlow, and
regExpProtoFuncMatchAll.

Test: JSTests/stress/string-prototype-matchall-species-constructor.js

* JSTests/stress/string-prototype-matchall-species-constructor.js: Added.
(shouldBe):
(shouldThrow):
(matchAllToArray):
(RegExp.prototype.Symbol.species):
* Source/JavaScriptCore/runtime/RegExpObjectInlines.h:
(JSC::RegExpObject::isSymbolMatchAllFastAndNonObservable):

Canonical link: https://commits.webkit.org/314355@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to