We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jul 2016 21:11:09 +0000 (21:11 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jul 2016 21:11:09 +0000 (21:11 +0000)
commit8e9e72e65df6d64d8a882bea50a30e931b110957
treec1876db8557172ddffb6df56c7073c8488018d13
parent7c36d43a8baa9b2ed0e00714d02a2d702c3b12fa
We don't optimize for-in properly in baseline JIT (maybe other JITs too) with an object with symbols
https://bugs.webkit.org/show_bug.cgi?id=160211
<rdar://problem/27572612>

Reviewed by Geoffrey Garen.

The fast for-in iteration mode assumes all inline/out-of-line properties
can be iterated in linear order. This is not true if we have Symbols
because Symbols should not be iterated by for-in.

* runtime/Structure.cpp:
(JSC::Structure::add):
* tests/stress/symbol-should-not-break-for-in.js: Added.
(assert):
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@203793 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Structure.cpp
Source/JavaScriptCore/tests/stress/symbol-should-not-break-for-in.js [new file with mode: 0644]