Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 4e802a14cac67d2a23a484805ad37efb8436eb49
https://github.com/WebKit/WebKit/commit/4e802a14cac67d2a23a484805ad37efb8436eb49
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-28 (Thu, 28 May 2026)
Changed paths:
A JSTests/stress/checkpoint-exception-handler-during-osr-exit.js
M Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
Log Message:
-----------
[JSC] Don't advance bytecode when reifying inline frames at a checkpoint
https://bugs.webkit.org/show_bug.cgi?id=309930
rdar://172471763
Reviewed by Yusuke Suzuki.
When reifying inlined frames, the BytecodeIndex currently written into the
reified baseline frames in the case when OSR exiting at a checkpoint, is the
bytecode after the checkpoint. In case the bytecode in which checkpointed
execution resumes throws, this would result in the wrong exception handler as
the index points to one past the bytecode being re-executed.
Note that this BytecodeIndex on the baseline frame is different from the index
used for actual resumption of execution. That index is kept in a sidestate and
encodes the checkpoint.
Test: JSTests/stress/checkpoint-exception-handler-during-osr-exit.js
* JSTests/stress/checkpoint-exception-handler-during-osr-exit.js: Added.
(const.b):
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp:
(JSC::DFG::reifyInlinedCallFrames):
Originally-landed-as: 305413.486@rapid/safari-7624.2.5.110-branch
(ee8795961642). rdar://176062255
Canonical link: https://commits.webkit.org/314044@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
