Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b21a503b579a8ab14c839f82cc77176e507352e5
https://github.com/WebKit/WebKit/commit/b21a503b579a8ab14c839f82cc77176e507352e5
Author: Yusuke Suzuki <[email protected]>
Date: 2025-12-17 (Wed, 17 Dec 2025)
Changed paths:
M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
Log Message:
-----------
[JSC] StoreBarrierInsertionPhase's escape should mark all transitively
incoming values to phi
https://bugs.webkit.org/show_bug.cgi?id=302502
rdar://164593392
Reviewed by Keith Miller and Mark Lam.
Let's have the following code.
BB#1
a: NewObject
b: NewObject
...
c: Upsilon(@b, ^f)
Branch(BB#2, BB#3)
BB#2
...
d: Something
e: Upsilon(@d, ^f)
Jump(BB#3)
BB#3
f: Phi(@c, @e)
...
g: PutByOffset(@a, @f)
...
h: PutByOffset(@b, ...)
...
Since @b can cause GC, epoch is bumped and @a can be in the old region.
As a result, in @g, we should insert a StoreBarrier after that. And
because this old @a can leak @f to the world scanned by concurrent GC,
we need to escape @f and subsequent code must insert a StoreBarrier when
@f's properties are modified. However we are marking @f, but not marking
all incoming values @b and @d propagated through Upsilon. As a result,
@h can use @b directly (since BB#3 is dominated by BB#1, it is fine),
and we failed to insert a StoreBarrier after @h since @b is not marked!
This patch fixes it by marking all transitively incoming values for the
escaped one. The code will mark the node itself, and then mark all
incoming nodes when the node is Phi.
* Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:
Originally-landed-as: 0cfb4a033f7e. rdar://166335758
Canonical link: https://commits.webkit.org/304602@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
