[webkit-changes] [WebKit/WebKit] 5551d9: JSTests/stress/array-isarray-error-message.js fail...
EWS
noreply at github.com
Fri Nov 4 02:17:14 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5551d9ec0813336b0daeedee986b101162d2d442
https://github.com/WebKit/WebKit/commit/5551d9ec0813336b0daeedee986b101162d2d442
Author: Mark Lam <mark.lam at apple.com>
Date: 2022-11-04 (Fri, 04 Nov 2022)
Changed paths:
M Source/JavaScriptCore/runtime/ArrayConstructor.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
Log Message:
-----------
JSTests/stress/array-isarray-error-message.js fails when run with --useJIT=0.
https://bugs.webkit.org/show_bug.cgi?id=247480
<rdar://problem/101942000>
Reviewed by Yusuke Suzuki.
isArraySlowInline() was checking if a function is Object.prototype.toString by testing for
function->intrinsic() == ObjectToStringIntrinsic. However, this only works when the JIT is enabled.
When the JIT is disabled, function->intrinsic() is always NoIntrinsic.
The fix is to test function against globalObject->m_objectProtoToStringFunction instead. However,
globalObject->m_objectProtoToStringFunction is a LazyProperty. We don't want this check to trigger
the initialization of that LazyProperty, nor do we need to. Simply testing against its pointer value
is sufficient. The only way the function can be Object.prototype.toString is if that LazyProperty
has already been initialized. If it's not initialized yet, then function cannot be
Object.prototype.toString. To enable this test, we'll introduce
JSGlobal::objectProtoToStringFunctionConcurrently().
This issue was discovered by running the JSTests/stress/array-isarray-error-message.js test with the
JIT disabled.
* Source/JavaScriptCore/runtime/ArrayConstructor.cpp:
(JSC::isArraySlowInline):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::objectProtoToStringFunctionConcurrently const):
Canonical link: https://commits.webkit.org/256314@main
More information about the webkit-changes
mailing list