Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 00c0add58ec35e0f557a57b1f3918e97ff979c64
https://github.com/WebKit/WebKit/commit/00c0add58ec35e0f557a57b1f3918e97ff979c64
Author: Keith Miller <[email protected]>
Date: 2026-01-13 (Tue, 13 Jan 2026)
Changed paths:
A JSTests/stress/array-sink-materialize-butterfly-to-phi.js
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/dfg/DFGUseKind.cpp
M Source/JavaScriptCore/dfg/DFGUseKind.h
M Source/JavaScriptCore/dfg/DFGValidate.cpp
M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] FTL Phis need to support storage
https://bugs.webkit.org/show_bug.cgi?id=305393
rdar://165711688
Reviewed by Justin Michaud.
When we redesigned Array allocation sinking Phis were not properly
changed to support storage. Prior to sinking, there was no way to
construct a graph that had storage Phis. The main reason we didn't
support Phis for storage was that it is somewhat risky with the
constraints of our GC. In particular, it would be invalid to have a
storage pointer without also retaining the base object. The GC won't
scan the butterfly without the base as it doesn't know the indexing type.
This patch simply fixes Upsilons/Phis for butterflies materialized by
Array allocation sinking. In a follow up patch I'll add a more
comprehensive fix that applies the new KnownStorageUse to all other
storage consuming Nodes.
Test: JSTests/stress/array-sink-materialize-butterfly-to-phi.js
Canonical link: https://commits.webkit.org/305546@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
