Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a347abe159d3a72e91febeb20f37aa9eefbe190f
https://github.com/WebKit/WebKit/commit/a347abe159d3a72e91febeb20f37aa9eefbe190f
Author: Yusuke Suzuki <[email protected]>
Date: 2023-07-31 (Mon, 31 Jul 2023)
Changed paths:
A JSTests/stress/spread-for-runtime-array.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
M Source/JavaScriptCore/runtime/IteratorOperations.cpp
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h
M Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h
M Source/JavaScriptCore/tools/JSDollarVM.cpp
M Source/WebCore/bindings/js/JSObservableArray.h
M Source/WebCore/bridge/runtime_array.h
Log Message:
-----------
Intermittent removal of adoptedStyleSheet CSSStyleSheet instances when
assigning adoptedStyleSheet array
https://bugs.webkit.org/show_bug.cgi?id=254844
rdar://107768559
Reviewed by Mark Lam.
JSObservableArray is using ArrayClass, but this is wrong: this is not
implementing what Array in DFG etc. requires.
As a result, DFG attempt to read length in the same way to normal array, and it
just reads empty butterfly.
1. JSObservableArray must not say ArrayClass. ArrayClass is more strict form
(like, ArrayType), and DerivedArray normally
should not use it.
2. We also fix NPAPI's half-broken RuntimeArray's ArrayClass to NonArray.
3. We also change iteration protocol to consider this new scheme: we should
only allow fast iteration for normal pure JSArray.
* JSTests/stress/spread-for-runtime-array.js: Added.
(shouldBe):
(test):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
(JSC::iteratorNextTryFastImpl):
* Source/JavaScriptCore/runtime/IteratorOperations.cpp:
(JSC::getIterationMode):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewConstructorInlines.h:
(JSC::constructGenericTypedArrayViewWithArguments):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h:
(JSC::JSGenericTypedArrayView<Adaptor>::setFromArrayLike):
* Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
(JSC::genericTypedArrayViewPrivateFuncFromFast):
* Source/JavaScriptCore/tools/JSDollarVM.cpp:
* Source/WebCore/bindings/js/JSObservableArray.h:
* Source/WebCore/bridge/runtime_array.h:
Canonical link: https://commits.webkit.org/266464@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
