Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: aa5589433c390617ad88c26ba56299dec2087bbf
https://github.com/WebKit/WebKit/commit/aa5589433c390617ad88c26ba56299dec2087bbf
Author: Shu-yu Guo <[email protected]>
Date: 2026-06-16 (Tue, 16 Jun 2026)
Changed paths:
A JSTests/stress/literal-parser-proto-setter.js
M Source/JavaScriptCore/runtime/Identifier.h
M Source/JavaScriptCore/runtime/IdentifierInlines.h
M Source/JavaScriptCore/runtime/LiteralParser.cpp
Log Message:
-----------
[JSC] Take slow path in LiteralParser if original structure changes
https://bugs.webkit.org/show_bug.cgi?id=310231
rdar://172857687
Reviewed by Keith Miller.
LiteralParser has a fast path for caching transitions if we're parsing a
literal with an existing transition. This is done before the object literal is
actually parsed. During actual parsing, user code may run due to setters for
__proto__, which may invalidate the original object's structure and thus its
cached transition. Currently we don't account for the structure changing. This
PR fixes it by taking the slow path if the structure changes.
Test: JSTests/stress/literal-parser-proto-setter.js
* JSTests/stress/literal-parser-proto-setter.js: Added.
* Source/JavaScriptCore/runtime/Identifier.h:
* Source/JavaScriptCore/runtime/IdentifierInlines.h:
(JSC::Identifier::fromUid):
* Source/JavaScriptCore/runtime/LiteralParser.cpp:
(JSC::requires):
Originally-landed-as: 305413.524@rapid/safari-7624.2.5.110-branch
(15b9c504262f). rdar://176061347
Canonical link: https://commits.webkit.org/315327@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
