[webkit-changes] [284506] trunk/Source/JavaScriptCore

Tue, 19 Oct 2021 15:49:15 -0700

Title: [284506] trunk/Source/_javascript_Core
Revision
284506
Author
sbar...@apple.com
Date
2021-10-19 15:48:26 -0700 (Tue, 19 Oct 2021)

Log Message

canDoFastSpread should also check that the Structure is from the global object we're watching
https://bugs.webkit.org/show_bug.cgi?id=231976
<rdar://84340372>

Reviewed by Keith Miller.

* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::canDoFastSpread):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (284505 => 284506)


--- trunk/Source/_javascript_Core/ChangeLog	2021-10-19 22:37:56 UTC (rev 284505)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-10-19 22:48:26 UTC (rev 284506)
@@ -1,3 +1,14 @@
+2021-10-19  Saam Barati  <sbar...@apple.com>
+
+        canDoFastSpread should also check that the Structure is from the global object we're watching
+        https://bugs.webkit.org/show_bug.cgi?id=231976
+        <rdar://84340372>
+
+        Reviewed by Keith Miller.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::canDoFastSpread):
+
 2021-10-19  Chris Dumez  <cdu...@apple.com>
 
         [clang 13] Suppress sign comparison warnings

Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (284505 => 284506)


--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp	2021-10-19 22:37:56 UTC (rev 284505)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp	2021-10-19 22:48:26 UTC (rev 284506)
@@ -1843,10 +1843,12 @@
     if (!value.m_structure.isFinite())
         return false;
 
-    ArrayPrototype* arrayPrototype = globalObjectFor(node->child1()->origin.semantic)->arrayPrototype();
+    JSGlobalObject* globalObject = globalObjectFor(node->child1()->origin.semantic);
+    ArrayPrototype* arrayPrototype = globalObject->arrayPrototype();
     bool allGood = true;
     value.m_structure.forEach([&] (RegisteredStructure structure) {
         allGood &= structure->hasMonoProto()
+            && structure->globalObject() == globalObject
             && structure->storedPrototype() == arrayPrototype
             && !structure->isDictionary()
             && structure->getConcurrently(m_vm.propertyNames->iteratorSymbol.impl()) == invalidOffset

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to