| Summary: | canDoFastSpread should also check that the Structure is from the global object we're watching | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, tzagallo, webkit-bug-importer | ||||||
| Priority: | P2 | Keywords: | InRadar | ||||||
| Version: | WebKit Nightly Build | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Attachments: |
|
||||||||
|
Description
Saam Barati
2021-10-19 12:39:25 PDT
Created attachment 441776 [details]
Patch
Comment on attachment 441776 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=441776&action=review > Source/JavaScriptCore/dfg/DFGGraph.cpp:1852 > + && structure->globalObject() == globalObject > && structure->storedPrototype() == arrayPrototype Nit: Can we invert these two lines? Comment on attachment 441776 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=441776&action=review >> Source/JavaScriptCore/dfg/DFGGraph.cpp:1852 >> && structure->storedPrototype() == arrayPrototype > > Nit: Can we invert these two lines? What's your thinking? The current code actually reads more clearly to me. Committed r284506 (243252@main): <https://commits.webkit.org/243252@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441776 [details]. Will fix Keith's nit. Created attachment 441820 [details]
follow up
Comment on attachment 441820 [details]
follow up
r=me.
Committed r284699 (243416@main): <https://commits.webkit.org/243416@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 441820 [details]. |