RESOLVED FIXED 247480
JSTests/stress/array-isarray-error-message.js fails when run with --useJIT=0 
https://bugs.webkit.org/show_bug.cgi?id=247480
Summary JSTests/stress/array-isarray-error-message.js fails when run with --useJIT=0
Mark Lam
Reported 2022-11-04 00:34:13 PDT
isArraySlowInline() was checking if a function is Object.prototype.toString by testing for function->intrinsic() == ObjectToStringIntrinsic. However, this only works when the JIT is enabled. When the JIT is disabled, function->intrinsic() is always NoIntrinsic. The fix is to test function against globalObject->m_objectProtoToStringFunction instead. However, globalObject->m_objectProtoToStringFunction is a LazyProperty. We don't want this check to trigger the initialization of that LazyProperty, nor do we need to. Simply testing against its pointer value is sufficient. The only way the function can be Object.prototype.toString is if that LazyProperty has already been initialized. If it's not initialized yet, then function cannot be Object.prototype.toString. To enable this test, we'll introduce JSGlobal::objectProtoToStringFunctionConcurrently(). <rdar://problem/101942000>
Attachments
Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2022-11-04 00:39:21 PDT
Pull request: https://github.com/WebKit/WebKit/pull/6127
EWS
Comment 2 2022-11-04 02:17:05 PDT
Committed 256314@main (5551d9ec0813): <https://commits.webkit.org/256314@main> Reviewed commits have been landed. Closing PR #6127 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.