Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: c7fe05eb98f63f711766aa2822520c8557a1f404
https://github.com/WebKit/WebKit/commit/c7fe05eb98f63f711766aa2822520c8557a1f404
Author: Kai Tamkun <[email protected]>
Date: 2026-06-12 (Fri, 12 Jun 2026)
Changed paths:
A JSTests/stress/regress-173924142.js
M Source/JavaScriptCore/dfg/DFGClobberize.h
Log Message:
-----------
[JSC] ToBoolean/TypeOfIsUndefined/TypeOfIsFunction/TypeOf/CompareEq def value
in DFGClobberize doesn't depend on node's origin.semantic
https://bugs.webkit.org/show_bug.cgi?id=311663
rdar://173924142
Reviewed by Marcus Plutowski.
The semantics of operations like `typeof` are realm-dependent when the input
has the
`MasqueradesAsUndefined` flag set. This patch prevents constant folding of these
expressions if they have different realms to preserve the semantics.
Added regress-173924142.js to ensure that the operations behave as expected
even across realms.
* JSTests/stress/regress-173924142.js: Added.
(assert):
(otherGlobal.eval.returnMultipleValues):
(returnMultipleValues):
(i.returnMultipleValues):
(otherGlobalMasqueraderAfter.const.property.of.Object.getOwnPropertyNames):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
Originally-landed-as: 305413.657@rapid/safari-7624.2.5.110-branch
(882fc55c5e17). rdar://176058724
Canonical link: https://commits.webkit.org/315142@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
