[JSC] Additional check for transitioning for Object.assign's cloning

https://bugs.webkit.org/show_bug.cgi?id=267375 rdar://120811101 Reviewed by Justin Michaud. To ensure didTransition's invariant more strongly, we explicitly check that 1. target structure didn't do transition before. 2. source structure did transition before. for Object.assign cloning fast path. * Source/JavaScriptCore/runtime/ObjectConstructorInlines.h: (JSC::objectCloneFast): Canonical link: https://commits.webkit.org/272870@main
WebKit · Jan 11, 2024 · 485d485 · 485d485
1 parent 4d608c2
commit 485d485
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h b/Source/JavaScriptCore/runtime/ObjectConstructorInlines.h
@@ -154,6 +154,11 @@ ALWAYS_INLINE bool objectCloneFast(VM& vm, JSFinalObject* target, JSObject* sour
         return false;
     }
 
+    if (targetStructure->didTransition()) {
+        dataLogLnIf(verbose, "target did some transition, indicating non pure empty structure");
+        return false;
+    }
+
     // If the sourceStructure is frozen, we retrieve the last one before freezing.
     if (sourceStructure->transitionKind() == TransitionKind::Freeze) {
         dataLogLnIf(verbose, "source was frozen. Let's look into the previous structure");
@@ -172,6 +177,11 @@ ALWAYS_INLINE bool objectCloneFast(VM& vm, JSFinalObject* target, JSObject* sour
     if (!checkStrucure(sourceStructure))
         return false;
 
+    if (!sourceStructure->didTransition()) {
+        dataLogLnIf(verbose, "source didn't do some transition, indicating pure empty structure, not trying to use the fast path since we would like to see target as transitioned before at final form");
+        return false;
+    }
+
     if (targetStructure->inlineCapacity() != sourceStructure->inlineCapacity()) {
         dataLogLnIf(verbose, "source and target has different inline capacity");
         return false;