[Webkit-unassigned] [Bug 247480] New: JSTests/stress/array-isarray-error-message.js fails when run with --useJIT=0

Fri Nov 4 00:34:13 PDT 2022

https://bugs.webkit.org/show_bug.cgi?id=247480

            Bug ID: 247480
           Summary: JSTests/stress/array-isarray-error-message.js fails
                    when run with --useJIT=0
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

isArraySlowInline() was checking if a function is Object.prototype.toString by testing for function->intrinsic() == ObjectToStringIntrinsic.  However, this only works when the JIT is enabled.  When the JIT is disabled, function->intrinsic() is always NoIntrinsic.

The fix is to test function against globalObject->m_objectProtoToStringFunction instead.  However, globalObject->m_objectProtoToStringFunction is a LazyProperty.  We don't want this check to trigger the initialization of that LazyProperty, nor do we need to.  Simply testing against its pointer value is sufficient.  The only way the function can be Object.prototype.toString is if that LazyProperty has already been initialized.  If it's not initialized yet, then function cannot be Object.prototype.toString.  To enable this test, we'll introduce JSGlobal::objectProtoToStringFunctionConcurrently().

<rdar://problem/101942000>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221104/41ed69b0/attachment-0001.htm>