[webkit-changes] [WebKit/WebKit] b7ecdf: [JSC] Fix Object.assign's temporary structure tran...
Yusuke Suzuki
noreply at github.com
Tue Apr 11 15:26:49 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b7ecdfa767a359bcc8c660523644122d765e77ee
https://github.com/WebKit/WebKit/commit/b7ecdfa767a359bcc8c660523644122d765e77ee
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-04-11 (Tue, 11 Apr 2023)
Changed paths:
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/runtime/JSObject.cpp
Log Message:
-----------
[JSC] Fix Object.assign's temporary structure transition
https://bugs.webkit.org/show_bug.cgi?id=255304
rdar://107903084
Reviewed by Mark Lam.
Fixes Object.assign's temporary structure transition. We should store oldStructure's StructureID, but we were storing oldStructure->structure()'s ID.
Interestingly this does not affect on release build because,
1. After setting this and before setStructure, we have no GC invocation operations.
2. Inline property offset is static. It is not depending on Structure. So, every store just works as expected.
So, it is just assertion hit ultimately. But it is not correct. This patch fixes it.
Also, we need to visit BrandedStructures' finalizer too. This patch also fixes it.
* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::putOwnDataPropertyBatching):
Canonical link: https://commits.webkit.org/262843@main
More information about the webkit-changes
mailing list