[webkit-changes] [WebKit/WebKit] ecb799: [JSC] Shouldn't use the fast path of copying index...

Commit Queue noreply at github.com
Thu Sep 28 00:22:42 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: ecb799021d899bd16a98c35ef40279b4f8ee3596
      https://github.com/WebKit/WebKit/commit/ecb799021d899bd16a98c35ef40279b4f8ee3596
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-09-28 (Thu, 28 Sep 2023)

  Changed paths:
    A JSTests/stress/object-assign-with-indexed-getter-setter-properties.js
    M Source/JavaScriptCore/runtime/JSObject.cpp
    M Source/JavaScriptCore/runtime/JSObject.h
    M Source/JavaScriptCore/runtime/JSObjectInlines.h
    M Source/JavaScriptCore/runtime/ObjectConstructor.cpp
    M Source/JavaScriptCore/runtime/ObjectConstructorInlines.h
    M Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp
    M Source/JavaScriptCore/runtime/SparseArrayValueMap.h

  Log Message:
  -----------
  [JSC] Shouldn't use the fast path of copying indexed properties if saw indexed GetterSetter properties
https://bugs.webkit.org/show_bug.cgi?id=262228
rdar://115790723

Reviewed by Yusuke Suzuki.

Previously, we introduced a fast path for `Object.assign` by copying
indexed properties directly (https://commits.webkit.org/267797@main).
This is wrong since indexed properties may contain getter or setter
properties which have side effects. So, we should avoid to use the
fast path of copying indexed properties when saw any indexed getter
or setter property.

* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::putIndexedDescriptor):
* Source/JavaScriptCore/runtime/JSObject.h:
(JSC::JSObject::canHaveExistingOwnIndexedGetterSetterProperties):
* Source/JavaScriptCore/runtime/JSObjectInlines.h:
(JSC::JSObject::forEachOwnIndexedProperty):
(JSC::JSObject::forEachIndexedProperty): Deleted.
* Source/JavaScriptCore/runtime/ObjectConstructor.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):
* Source/JavaScriptCore/runtime/ObjectConstructorInlines.h:
(JSC::objectAssignIndexedPropertiesFast):
(JSC::objectAssignFast):
* Source/JavaScriptCore/runtime/SparseArrayValueMap.cpp:
(JSC::SparseArrayEntry::get const):
* Source/JavaScriptCore/runtime/SparseArrayValueMap.h:
(JSC::SparseArrayEntry::SparseArrayEntry):
(JSC::SparseArrayEntry::attributes const):
(JSC::SparseArrayEntry::forceSet):
(JSC::SparseArrayEntry::asValue):

Canonical link: https://commits.webkit.org/268567@main

More information about the webkit-changes mailing list