[webkit-changes] [WebKit/WebKit] b97cfe: REGRESSION (266591 at main): Array.splice can return ...
Yusuke Suzuki
noreply at github.com
Wed Sep 6 15:43:24 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b97cfe44a622482f18d6757813eb92a69a10b2b6
https://github.com/WebKit/WebKit/commit/b97cfe44a622482f18d6757813eb92a69a10b2b6
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-09-06 (Wed, 06 Sep 2023)
Changed paths:
A JSTests/stress/array-splice-empty-dfg.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
Log Message:
-----------
REGRESSION (266591 at main): Array.splice can return `undefined` for `[].splice(0, 0)`
https://bugs.webkit.org/show_bug.cgi?id=261140
rdar://114992785
Reviewed by Alexey Shvayka.
ArraySpliceExtract DFG operation's path for empty array is wrong. We should just go to the rest,
which already handles the fast path too.
* JSTests/stress/array-splice-empty-dfg.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
Canonical link: https://commits.webkit.org/267703@main
More information about the webkit-changes
mailing list