JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful...
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Mar 2016 21:03:02 +0000 (21:03 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 23 Mar 2016 21:03:02 +0000 (21:03 +0000)
commit90fef1a7ea0844713646d82ab494aa699ae77937
tree4df3e1d558172465d94b8fceaafae4a8acd607c2
parent5e2b8a0da3447fb67612b0fab8599034c33d8bc6
JavaScriptCore ArrayPrototype::join shouldn't cache butterfly when it makes effectful calls
https://bugs.webkit.org/show_bug.cgi?id=155776

Reviewed by Saam Barati.

Source/JavaScriptCore:

Array.join ends up calling toString, possibly on some object.  Since these calls
could be effectful and could change the array itself, we can't hold the butterfly
pointer while making effectful calls.  Changed the code to fall back to the general
case when an effectful toString() call might be made.

* runtime/ArrayPrototype.cpp:
(JSC::join):
* runtime/JSStringJoiner.h:
(JSC::JSStringJoiner::appendWithoutSideEffects): New helper that doesn't make effectful
toString() calls.
(JSC::JSStringJoiner::append): Built upon appendWithoutSideEffects.

LayoutTests:

New test.

* js/regress-155776-expected.txt: Added.
* js/regress-155776.html: Added.
* js/script-tests/regress-155776.js: Added.
(fillBigArrayViaToString):
(Function.prototype.toString):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@198592 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/js/regress-155776-expected.txt [new file with mode: 0644]
LayoutTests/js/regress-155776.html [new file with mode: 0644]
LayoutTests/js/script-tests/regress-155776.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ArrayPrototype.cpp
Source/JavaScriptCore/runtime/JSStringJoiner.h