Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 58dd8cd97ec1f23aafa4ea9a9866c718275fc48c
https://github.com/WebKit/WebKit/commit/58dd8cd97ec1f23aafa4ea9a9866c718275fc48c
Author: Yijia Huang <[email protected]>
Date: 2025-07-08 (Tue, 08 Jul 2025)
Changed paths:
A JSTests/stress/array-allocation-sink-escape-materialize-1.js
A JSTests/stress/array-allocation-sink-escape-materialize-10.js
A JSTests/stress/array-allocation-sink-escape-materialize-11.js
A JSTests/stress/array-allocation-sink-escape-materialize-12.js
A JSTests/stress/array-allocation-sink-escape-materialize-13.js
A JSTests/stress/array-allocation-sink-escape-materialize-14.js
A JSTests/stress/array-allocation-sink-escape-materialize-2.js
A JSTests/stress/array-allocation-sink-escape-materialize-3.js
A JSTests/stress/array-allocation-sink-escape-materialize-4.js
A JSTests/stress/array-allocation-sink-escape-materialize-5.js
A JSTests/stress/array-allocation-sink-escape-materialize-6.js
A JSTests/stress/array-allocation-sink-escape-materialize-7.js
A JSTests/stress/array-allocation-sink-escape-materialize-8.js
A JSTests/stress/array-allocation-sink-escape-materialize-9.js
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.cpp
M Source/JavaScriptCore/dfg/DFGPromotedHeapLocation.h
M Source/JavaScriptCore/dfg/DFGValidate.cpp
M Source/JavaScriptCore/runtime/OptionsList.h
Log Message:
-----------
[JSC] Fix GetButterfly handling in DFG array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=295191
rdar://154419571
Reviewed by Keith Miller.
DFG's object allocation sinking previously mishandled GetButterfly nodes
when their base arrays were sunk and later materialized. Specifically, when
PutByVal or GetByVal triggered array escape, the corresponding GetButterfly
nodes were not correctly updated to depend on the materialized array, leading
to incorrect butterfly references and potential crashes.
This patch fixes the issue by:
1. Introducing a new Allocation::Kind::ArrayButterfly to model GetButterfly as
a dependent allocation.
2. Adding ArrayButterflyPropertyPLoc to track butterfly-to-array relationships.
3. Implementing fixGetButterflyEscapees() to synchronize escape status between
arrays and their butterflies.
4. Enforcing materialization ordering to ensure arrays materialize before their
GetButterfly uses.
5. Updating GetButterfly lowering to depend on the correct materialized array.
This fix ensures that GetButterfly correctly accesses the butterfly of
materialized arrays.
Canonical link: https://commits.webkit.org/297146@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
