Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: a1a6185cc83ec55675fd01a100117d0202701d28
https://github.com/WebKit/WebKit/commit/a1a6185cc83ec55675fd01a100117d0202701d28
Author: Keith Miller <[email protected]>
Date: 2025-10-25 (Sat, 25 Oct 2025)
Changed paths:
A JSTests/stress/array-sink-conditional-initialization.js
A JSTests/stress/array-sink-diamond-initialization-then-read.js
A JSTests/stress/array-sink-read-uninitialized-hole.js
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
Log Message:
-----------
Array Allocation Sinking Should Track Initialized Indicies
https://bugs.webkit.org/show_bug.cgi?id=301468
rdar://162617198
Reviewed by Yusuke Suzuki.
After fixing conditional writes in 300888@main there was still a remaining
issue.
If there ended up being a read from a conditionally initialized index of the
array we could end up forwarding the hole value to that read rather than
`undefined`.
To fix this we add a bit vector that tracks whether a particular index is
guaranteed
to be initialized on every path to this point.
Lastly this change removes an unused size argument passed to the ArrayButterly's
Allocation. As of this change that would trigger an additional allocation and is
unused.
Tests: JSTests/stress/array-sink-diamond-initialization-then-read.js
JSTests/stress/array-sink-read-uninitialized-hole.js
JSTests/stress/array-sink-conditional-initialization.js
Canonical link: https://commits.webkit.org/302153@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
