[webkit-changes] [WebKit/WebKit] e470f3: [JSC] Crash in `Array#indexOf` when the array cont...
SUZUKI Sosuke
noreply at github.com
Sun Feb 9 18:05:10 PST 2025
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e470f352d9ce010a47d48c4cc4f7e2457d0e7c64
https://github.com/WebKit/WebKit/commit/e470f352d9ce010a47d48c4cc4f7e2457d0e7c64
Author: Sosuke Suzuki <aosukeke at gmail.com>
Date: 2025-02-09 (Sun, 09 Feb 2025)
Changed paths:
A JSTests/stress/array-prototype-indexOf-string-use.js
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Crash in `Array#indexOf` when the array contains non-cell value
https://bugs.webkit.org/show_bug.cgi?id=287319
Reviewed by Yusuke Suzuki.
We merged a patch[1] that optimized `Array#indexOf` for arrays
containing 8-bit strings. As a result of that change, searching
for a string in an `ArrayWithContiguous` array started causing crashes.
This patch changes to fix it.
[1]: https://commits.webkit.org/289780@main
* JSTests/stress/array-prototype-indexOf-string-use.js: Added.
(sameValue):
(test):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
(JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructorOrStringValueOf):
Canonical link: https://commits.webkit.org/290136@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list