Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 32f1bfb841291085addeca576816d73d8c3aed84
https://github.com/WebKit/WebKit/commit/32f1bfb841291085addeca576816d73d8c3aed84
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
A JSTests/stress/direct-eval-cache-rope.js
M Source/JavaScriptCore/interpreter/Interpreter.cpp
Log Message:
-----------
[JSC] Defer GC while using the direct eval CacheLookupKey
https://bugs.webkit.org/show_bug.cgi?id=310146
rdar://172708456
Reviewed by Yusuke Suzuki.
DirectEvalCodeCache::CacheLookupKey holds a raw StringImpl* for performance.
This StringImpl* can be the contents of a fiber of an on-stack rope JSString.
Though that JSString is live on the stack, it can be mutated in place due to
rope flattening, which means its fiber JSString, whose contents are referenced
in the key, can become unrooted and swept by the GC and consequently deref the
String whose raw pointer is in the key. This PR fixes by deferring GC during
while the lookup key is live on the stack.
Test: JSTests/stress/direct-eval-cache-rope.js
* JSTests/stress/direct-eval-cache-rope.js: Added.
(getRope):
(main):
* Source/JavaScriptCore/interpreter/Interpreter.cpp:
(JSC::eval):
Originally-landed-as: 305413.520@rapid/safari-7624.2.5.110-branch
(f84884541bfb). rdar://176061437
Canonical link: https://commits.webkit.org/314203@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
