Changeset 272428 in webkit for trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

Timestamp:

Feb 5, 2021, 10:58:06 AM (5 years ago)

Author:

[email protected]

Message:

[JSC] globalFuncCopyDataProperties should not perform GC-sensitive operation in the middle of Structure::forEachProperty
​https://bugs.webkit.org/show_bug.cgi?id=221454

Reviewed by Mark Lam.

JSTests:

• stress/copy-data-properties-fast-path.js: Added.

(foo):

Source/JavaScriptCore:

isPropertyNameExcluded can invoke GC etc. And running Structure::forEachProperty
is fragile state against any side-effect including GC.
We should not perform GC-sensitive operation during Structure::forEachProperty.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION):

File:

• trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -886 +886 @@
                 return true;
 
-            bool excluded = isPropertyNameExcluded(globalObject, propertyName);
-            RETURN_IF_EXCEPTION(scope, false);
-            if (excluded)
-                return true;
             if (entry.attributes & PropertyAttribute::DontEnum)
                 return true;
@@ -903 +899 @@
             // FIXME: We could put properties in a batching manner to accelerate CopyDataProperties more.
             // https://bugs.webkit.org/show_bug.cgi?id=185358
+            bool excluded = isPropertyNameExcluded(globalObject, properties[i].get());
+            RETURN_IF_EXCEPTION(scope, { });
+            if (excluded)
+                continue;
             target->putDirect(vm, properties[i].get(), values.at(i));
         }