RESOLVED FIXED 101720
If the DFG ArrayMode says that an access is on an OriginalArray, then the checks should always enforce this 
https://bugs.webkit.org/show_bug.cgi?id=101720
Summary If the DFG ArrayMode says that an access is on an OriginalArray, then the che...
Filip Pizlo
Reported 2012-11-09 00:25:00 PST
This allows us to cheaply validate whether or not a JSArray still has sane prototype chain, even if we're not using a structure check.
Attachments
the patch (10.51 KB, patch)
2012-11-09 14:26 PST, Filip Pizlo 		mhahnenberg: review-
DetailsFormatted DiffDiff
the patch (19.92 KB, patch)
2012-11-09 17:36 PST, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2012-11-09 14:26:13 PST
Created attachment 173365 [details] the patch
Mark Hahnenberg
Comment 2 2012-11-09 14:36:01 PST
Comment on attachment 173365 [details] the patch r- after doing some rubber ducky. Gotta watch out for "primordial" array structures from other global objects.
Filip Pizlo
Comment 3 2012-11-09 14:51:38 PST
(In reply to comment #2) > (From update of attachment 173365 [details]) > r- after doing some rubber ducky. Gotta watch out for "primordial" array structures from other global objects. Yeah. There's a much better way to do this. Just go full retard with OriginalArray.
Filip Pizlo
Comment 4 2012-11-09 17:36:35 PST
Created attachment 173414 [details] the patch
Mark Hahnenberg
Comment 5 2012-11-09 18:01:37 PST
Comment on attachment 173414 [details] the patch r=me
Filip Pizlo
Comment 6 2012-11-09 21:54:49 PST
Landed in http://trac.webkit.org/changeset/134151
Note You need to log in before you can comment on or make changes to this bug.