[webkit-changes] [WebKit/WebKit] 1f4abb: [JSC] A bit defensively adding DeferGC for Butterf...

Wed, 18 Feb 2026 14:39:50 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1f4abb51322ee99723e525de8fff76e4d55361a4
      
https://github.com/WebKit/WebKit/commit/1f4abb51322ee99723e525de8fff76e4d55361a4
  Author: Yusuke Suzuki <[email protected]>
  Date:   2026-02-18 (Wed, 18 Feb 2026)

  Changed paths:
    M Source/JavaScriptCore/runtime/ArrayConstructor.cpp
    M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
    M Source/JavaScriptCore/runtime/JSArray.cpp
    M Source/JavaScriptCore/runtime/ScopedArguments.cpp

  Log Message:
  -----------
  [JSC] A bit defensively adding DeferGC for Butterfly baking
https://bugs.webkit.org/show_bug.cgi?id=308105
rdar://170604854

Reviewed by Keith Miller.

Baking Butterfly is really complex. Butterfly itself is kept via GC.
But Butterfly elements are not scanned until it gets connected to owner
JSObject. This means that createWithButterfly function requires extra
care since we do GC for owner cell allocation, thus, we need to ensure
that content of Butterfly is also kept alive by someone. Currently, all
of JSArray::createWithButterfly's butterfly contents are copied from
some other objects, thus this object should keep them alive. But in some
cases like clang optimization for tail call to
JSArray::createWithButterfly, there is theoretical possibility that this
owner object is no longer kept when creating JSArray because it was the
last use. And in this case, we may destroy the content of these
butterflies. We are not 100% sure whether this can happen. But let's a
bit defensive against the current use by adding DeferGC to ensure that
we will not invoke GC for JSArray::createWithButterfly's owner cell
creation.

* Source/JavaScriptCore/runtime/ArrayConstructor.cpp:
(JSC::fastArrayOf):
(JSC::tryCreateArrayFromArguments):
(JSC::tryCreateArrayFromSet):
(JSC::tryCreateArrayFromMapIterator):
* Source/JavaScriptCore/runtime/ArrayPrototype.cpp:
(JSC::concatAppendArray):
* Source/JavaScriptCore/runtime/JSArray.cpp:
(JSC::JSArray::fastToReversed):
(JSC::JSArray::fastWith):
(JSC::JSArray::fastToSpliced):
(JSC::JSArray::fastSlice):
(JSC::tryCloneArrayFromFast):
(JSC::JSArray::fastFlat):
* Source/JavaScriptCore/runtime/ScopedArguments.cpp:
(JSC::ScopedArguments::fastSlice):

Canonical link: https://commits.webkit.org/307787@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to