[webkit-changes] [WebKit/WebKit] 73689f: [JSC] `GetByStatus::computeFor` should not constan...

Tue, 02 Jun 2026 05:52:27 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 73689f5430825ecffb614dbcce8e6575dfea3d50
      
https://github.com/WebKit/WebKit/commit/73689f5430825ecffb614dbcce8e6575dfea3d50
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-06-02 (Tue, 02 Jun 2026)

  Changed paths:
    A JSTests/stress/get-by-id-constant-fold-dictionary-head-shadow-property.js
    M Source/JavaScriptCore/bytecode/GetByStatus.cpp

  Log Message:
  -----------
  [JSC] `GetByStatus::computeFor` should not constant-fold prototype loads when 
the head structure is a dictionary
https://bugs.webkit.org/show_bug.cgi?id=316046

Reviewed by Yusuke Suzuki.

GetByStatus::computeFor(JSGlobalObject*, const StructureSet&, ...) walks the
prototype chain and folds a prototype property hit into a Simple variant with an
ObjectPropertyConditionSet, which DFG AI uses to constant-fold GetById. The
generated conditions only cover the prototype chain objects (generateConditions
rejects dictionary prototypes and the conditions are watched); the absence of a
shadowing own property on the base object is supposed to be guaranteed by the
structure check alone.

That guarantee does not hold for dictionary structures: adding an own property
to a cacheable dictionary does not transition the structure and does not fire
any watchpoint. So when AI proves a finite structure set whose only structure
is a cacheable dictionary (e.g. via a self-access IC on a dictionary structure
that cannot be flattened again due to hasBeenFlattenedBefore), DFG/FTL
constant-folds the prototype value, and adding a shadowing own property
afterwards keeps returning the stale prototype value with no OSR exit.

This change rejects dictionary head structures before the prototype walk,
mirroring the head-structure check that the TryGetById folding path already
performs.

Test: JSTests/stress/get-by-id-constant-fold-dictionary-head-shadow-property.js

* JSTests/stress/get-by-id-constant-fold-dictionary-head-shadow-property.js: 
Added.
(shouldBe):
(warmProto):
(opt):
* Source/JavaScriptCore/bytecode/GetByStatus.cpp:
(JSC::GetByStatus::computeFor):

Canonical link: https://commits.webkit.org/314361@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to