Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b7ecdfa767a359bcc8c660523644122d765e77ee
https://github.com/WebKit/WebKit/commit/b7ecdfa767a359bcc8c660523644122d765e77ee
Author: Yusuke Suzuki <[email protected]>
Date: 2023-04-11 (Tue, 11 Apr 2023)
Changed paths:
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/runtime/JSObject.cpp
Log Message:
-----------
[JSC] Fix Object.assign's temporary structure transition
https://bugs.webkit.org/show_bug.cgi?id=255304
rdar://107903084
Reviewed by Mark Lam.
Fixes Object.assign's temporary structure transition. We should store
oldStructure's StructureID, but we were storing oldStructure->structure()'s ID.
Interestingly this does not affect on release build because,
1. After setting this and before setStructure, we have no GC invocation
operations.
2. Inline property offset is static. It is not depending on Structure. So,
every store just works as expected.
So, it is just assertion hit ultimately. But it is not correct. This patch
fixes it.
Also, we need to visit BrandedStructures' finalizer too. This patch also fixes
it.
* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::finalizeUnconditionalFinalizers):
* Source/JavaScriptCore/runtime/JSObject.cpp:
(JSC::JSObject::putOwnDataPropertyBatching):
Canonical link: https://commits.webkit.org/262843@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
