[webkit-changes] [WebKit/WebKit] a347ab: Intermittent removal of adoptedStyleSheet CSSStyle...

Yusuke Suzuki noreply at github.com
Mon Jul 31 21:25:46 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a347abe159d3a72e91febeb20f37aa9eefbe190f
      https://github.com/WebKit/WebKit/commit/a347abe159d3a72e91febeb20f37aa9eefbe190f
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-07-31 (Mon, 31 Jul 2023)

  Changed paths:
    A JSTests/stress/spread-for-runtime-array.js
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/IteratorOperations.cpp
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
    M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
    M Source/JavaScriptCore/tools/JSDollarVM.cpp
    M Source/WebCore/bindings/js/JSObservableArray.h
    M Source/WebCore/bridge/runtime_array.h

  Log Message:
  -----------
  Intermittent removal of adoptedStyleSheet CSSStyleSheet instances when assigning adoptedStyleSheet array
https://bugs.webkit.org/show_bug.cgi?id=254844
rdar://107768559

Reviewed by Mark Lam.

JSObservableArray is using ArrayClass, but this is wrong: this is not implementing what Array in DFG etc. requires.
As a result, DFG attempt to read length in the same way to normal array, and it just reads empty butterfly.

1. JSObservableArray must not say ArrayClass. ArrayClass is more strict form (like, ArrayType), and DerivedArray normally
   should not use it.
2. We also fix NPAPI's half-broken RuntimeArray's ArrayClass to NonArray.
3. We also change iteration protocol to consider this new scheme: we should only allow fast iteration for normal pure JSArray.

* JSTests/stress/spread-for-runtime-array.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::iteratorNextTryFastImpl):
* Source/JavaScriptCore/runtime/IteratorOperations.cpp:
(JSC::getIterationMode):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewPrivateFuncFromFast):
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
* Source/WebCore/bindings/js/JSObservableArray.h:
* Source/WebCore/bridge/runtime_array.h:

Canonical link: https://commits.webkit.org/266464@main

More information about the webkit-changes mailing list