Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 72272dcc4feb84122a18d38b2ef1af99c0bf01d1
https://github.com/WebKit/WebKit/commit/72272dcc4feb84122a18d38b2ef1af99c0bf01d1
Author: Keith Miller <[email protected]>
Date: 2026-05-19 (Tue, 19 May 2026)
Changed paths:
M Source/JavaScriptCore/runtime/CachedTypes.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp
M Source/JavaScriptCore/runtime/ScopedArgumentsTable.h
M Source/WTF/wtf/Vector.h
Log Message:
-----------
[JSC] ScopedArgumentsTable ScopeOffset buffer should allocate from fastMalloc
https://bugs.webkit.org/show_bug.cgi?id=315082
rdar://175937787
Reviewed by Yusuke Suzuki.
ScopedArgumentsTable::m_arguments is engine metadata, not user payload, but
it was allocated from Gigacage::Primitive — making its ScopeOffsets reachable
through any Primitive-cage write primitive and usable as an unchecked index
into JSLexicalEnvironment::variables(). Replace the CagedUniquePtr with a
Vector<ScopeOffset>. JIT/LLInt loads through offsetOfLength() /
offsetOfArguments()
are unchanged at the codegen level: m_size is unsigned (matches the prior
uint32_t m_length) and m_buffer is a raw T*.
Also, drop a stale m_watchpointSets.resize(newLength) from the m_locked
branch of trySetLength: it mutated the supposedly-locked instance. The
only caller (SymbolTable::trySetArgumentsLength) immediately swaps in the new
table, so no caller observed the resized state.
Canonical link: https://commits.webkit.org/313485@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
