Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 877adec845ec625cc1a090f159e101dbea4c7144
https://github.com/WebKit/WebKit/commit/877adec845ec625cc1a090f159e101dbea4c7144
Author: Shu-yu Guo <[email protected]>
Date: 2026-01-22 (Thu, 22 Jan 2026)
Changed paths:
A JSTests/stress/array-from-arguments-overwritten-length.js
M Source/JavaScriptCore/runtime/ArrayConstructor.cpp
Log Message:
-----------
[JSC] Account for user code to arguments in Array.from
https://bugs.webkit.org/show_bug.cgi?id=306000
rdar://168635038
Reviewed by Sosuke Suzuki and Yusuke Suzuki.
Arguments objects in JS are array-like, so there is no guarantee that .length
implies a backing store of that size, and that indexed getters won't be called,
even when the iterator protocol isn't user modified.
This PR makes the optimized version of Array.from for arguments robust to user
modification to fall back to generic get().
Test: JSTests/stress/array-from-arguments-overwritten-length.js
Canonical link: https://commits.webkit.org/306050@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
