Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: eba64ef44de395091d66bdfdf1c2b1f0f4983c56
https://github.com/WebKit/WebKit/commit/eba64ef44de395091d66bdfdf1c2b1f0f4983c56
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
A
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time.js
M Source/JavaScriptCore/ftl/FTLOperations.cpp
Log Message:
-----------
[JSC] Array rematerialization should know how to have a bad time
https://bugs.webkit.org/show_bug.cgi?id=311883
rdar://174420676
Reviewed by Keith Miller.
Sunk Arrays that are rematerialized with a butterfly are always rematerialized
with a contiguous butterfly. If, in the meantime, the VM had a bad time and
moved all Array structures to SlowPutArrayStorage, rematerialization can end up
treating remterialized Arrays, which are now ArrayStorage, as if they had
contiguous butterflies.
This PR fixes that by always rematerializing with the contiguous butterfly, but
switching to SlowPutArrayStorage after the fact if the VM is having a bad time.
Test:
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time.js
*
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time.js:
Added.
(cb):
(collect):
(opt):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
Originally-landed-as: 305413.641@rapid/safari-7624.2.5.110-branch
(899331a21899). rdar://176058667
Canonical link: https://commits.webkit.org/314202@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
