commit 1c9d86edc5d91b67ba8c858a053de40e1b98dc95
parent bf333a1f6ce1ae0205ebe15bb58f8921a12333c0
Author: alexical <dothayer@mozilla.com>
Date: Tue, 25 Nov 2025 17:56:18 +0000
Bug 2002089 - Disable Object.keys iterator indices for dense elements r=iain
Differential Revision: https://phabricator.services.mozilla.com/D273888
Diffstat:
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/js/src/vm/Iteration.cpp b/js/src/vm/Iteration.cpp
@@ -1239,7 +1239,10 @@ static PropertyIteratorObject* GetIteratorImpl(JSContext* cx,
}
// If the object has dense elements, mark the dense elements as
- // maybe-in-iteration.
+ // maybe-in-iteration. However if we're unregistered (as is the case in
+ // an Object.keys scalar replacement), we're not able to do the appropriate
+ // invalidations on deletion etc. anyway. Accordingly, we're forced to just
+ // disable the indices optimization for this iterator entirely.
//
// The iterator is a snapshot so if indexed properties are added after this
// point we don't need to do anything. However, the object might have sparse
@@ -1248,9 +1251,11 @@ static PropertyIteratorObject* GetIteratorImpl(JSContext* cx,
//
// In debug builds, AssertDenseElementsNotIterated is used to check the flag
// is set correctly.
- if (!SkipRegistration) {
- if (obj->is<NativeObject>() &&
- obj->as<NativeObject>().getDenseInitializedLength() > 0) {
+ if (obj->is<NativeObject>() &&
+ obj->as<NativeObject>().getDenseInitializedLength() > 0) {
+ if (SkipRegistration) {
+ supportsIndices = false;
+ } else {
obj->as<NativeObject>().markDenseElementsMaybeInIteration();
}
}
