Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 177d2cad35bfdcf00d652eb92669d5cc9db9762e
https://github.com/WebKit/WebKit/commit/177d2cad35bfdcf00d652eb92669d5cc9db9762e
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-31 (Sun, 31 May 2026)
Changed paths:
A JSTests/stress/dfg-ensure-absence-dictionary-then-property.js
M Source/JavaScriptCore/dfg/DFGGraph.cpp
Log Message:
-----------
[JSC] Reject dictionary structures in `tryEnsureAbsence` in DFG
https://bugs.webkit.org/show_bug.cgi?id=315983
Reviewed by Yusuke Suzuki.
The head structure check added in 314147@main accepts cacheable dictionary
structures because propertyAccessesAreCacheable() only excludes uncacheable
dictionaries. Adding a property to a dictionary does not transition the
structure, so once we prove the absence of 'then' based on a dictionary
structure, adding a 'then' getter to the object after compilation makes the
proof stale without firing any watchpoint or failing any structure check. As a
result, Promise.resolve() folded into NewResolvedPromise skips the user's
'then' getter, and when the getter does run on the operation slow path, it runs
at a point where the compiler assumes no side effects can happen. The
structures on the prototype chain are not affected since
generateConditionsForPropertyMissConcurrently already rejects dictionaries.
This patch makes tryEnsureAbsence reject dictionary structures.
Test: JSTests/stress/dfg-ensure-absence-dictionary-then-property.js
* JSTests/stress/dfg-ensure-absence-dictionary-then-property.js: Added.
(createDictionaryObject):
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryEnsureAbsence):
Canonical link: https://commits.webkit.org/314275@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
