[webkit-reviews] review requested: [Bug 234990] JSArray::fastSlice() should not convert the source from CoW : [Attachment 448806] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 10 15:55:15 PST 2022
Alexey Shvayka <ashvayka at apple.com> has asked for review:
Bug 234990: JSArray::fastSlice() should not convert the source from CoW
https://bugs.webkit.org/show_bug.cgi?id=234990
Attachment 448806: Patch
https://bugs.webkit.org/attachment.cgi?id=448806&action=review
--- Comment #6 from Alexey Shvayka <ashvayka at apple.com> ---
Comment on attachment 448806
--> https://bugs.webkit.org/attachment.cgi?id=448806
Patch
(In reply to Mark Lam from comment #2)
> Comment on attachment 448801 [details]
> Patch
>
> r=me if EWS is happy.
Thanks Mark!
Needs another review I guess.
(In reply to Yusuke Suzuki from comment #3)
> Comment on attachment 448801 [details]
> Patch
>
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=448801&action=review
>
> > Source/JavaScriptCore/runtime/JSArray.cpp:747
> > + Structure* resultStructure =
globalObject->arrayStructureForIndexingTypeDuringAllocation(sourceIndexingMode
| IsArray);
>
> Doesn't it accidentally propagate CoW state if source is CoW?
> The result of slice should not be CoW array.
My bad, it does, I didn't look into
arrayStructureForIndexingTypeDuringAllocation() close enough.
JSTests/microbenchmarks/lazy-array-species-watchpoints.js nicely covers the
case.
I very much appreciate the tip!
More information about the webkit-reviews
mailing list