Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 934b1e28a87a1a9dbd5011751c819d56f6229734
https://github.com/WebKit/WebKit/commit/934b1e28a87a1a9dbd5011751c819d56f6229734
Author: Keith Miller <[email protected]>
Date: 2025-10-02 (Thu, 02 Oct 2025)
Changed paths:
A JSTests/stress/array-allocation-sink-conditional-write-osr.js
A JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
A JSTests/stress/array-sink-materialize-conditional-write.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Conditional writes are incorrectly handled in Array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=299956
rdar://161681941
Reviewed by Yusuke Suzuki and Yijia Huang.
The current bottom value in ObjectAllocationSinking is incorrect for arrays.
Unlike with objects, which track conditional stores by passing the active
structure through SSA, arrays can't do this. Instead we should set default value
to the appropriate hole value for the given IndexingShape. To make this work
I had to fix some Phi/Upsilon ResultFormat bugs since they previously assumed
everything would be a JSValue.
Also, add ASSERT to FTL lowering that the Phi/Upsilon formats match. I spent
1/2 a day
trying to understand why I was getting zero, when the issue was those values
disagreed
and I was getting the default zero value.
Tests: JSTests/stress/array-allocation-sink-conditional-write-osr.js
JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
JSTests/stress/array-sink-materialize-conditional-write.js
Canonical link: https://commits.webkit.org/300888@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
