Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 32e7fe840255aad7b355ad2c58187bd0cf958fc0
https://github.com/WebKit/WebKit/commit/32e7fe840255aad7b355ad2c58187bd0cf958fc0
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
A JSTests/stress/array-concat-intrinsic-contiguous-double-mismatch.js
M Source/JavaScriptCore/dfg/DFGOperations.cpp
M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Log Message:
-----------
[JSC] Gate `Array#concat` fast path on indexing-type merge compatibility
https://bugs.webkit.org/show_bug.cgi?id=314015
Reviewed by Yusuke Suzuki.
tryConcatAppendArrayFastWithWatchpoints assumes its callers have
verified that mergeIndexingTypeForCopying yields a valid IndexingType,
but ArrayWithContiguous + ArrayWithDouble (and the symmetric case)
returns NonArray. Reachable via tryConcatOneArgFast and
operationArrayConcatArray (e.g. [1, "x"].concat([1.5, 2.5])):
debug fires ASSERT(type != NonArray); release builds a NonArray
structure and memcpys raw double bits into a JSValue butterfly.
Add an explicit merge-compat check at both callsites so the helper's
precondition holds. The host caller falls back to the generic concat
loop, and DFG/FTL OSR-exit via ExoticObjectMode.
Test: JSTests/stress/array-concat-intrinsic-contiguous-double-mismatch.js
* JSTests/stress/array-concat-intrinsic-contiguous-double-mismatch.js: Added.
(assert):
(shallowEq):
(runConcat):
(makeContiguous):
(makeDouble):
(testContiguousPlusDouble):
(testDoublePlusContiguous):
(testCoWContiguousPlusDouble):
(testCoWDoublePlusContiguous):
(testEmptyContiguousPlusDouble):
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
(JSC::DFG::JSC_DEFINE_JIT_OPERATION):
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::tryConcatOneArgFast):
Canonical link: https://commits.webkit.org/312560@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
