[webkit-changes] [WebKit/WebKit] a82eb9: [JSC] Array rematerialization should preserve doub...

Sun, 31 May 2026 16:02:29 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: a82eb9dd7fabc6cfb8d9e5906e42411e27029e90
      
https://github.com/WebKit/WebKit/commit/a82eb9dd7fabc6cfb8d9e5906e42411e27029e90
  Author: Sosuke Suzuki <[email protected]>
  Date:   2026-05-31 (Sun, 31 May 2026)

  Changed paths:
    A 
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time-double-hole.js
    A 
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time-int32-hole.js
    M Source/JavaScriptCore/ftl/FTLOperations.cpp

  Log Message:
  -----------
  [JSC] Array rematerialization should preserve double Array holes when having 
a bad time
https://bugs.webkit.org/show_bug.cgi?id=315922

Reviewed by Yusuke Suzuki.

When a sunk double Array is rematerialized at an FTL OSR exit after the VM had
a bad time, an unwritten element arrives as boxed NaN (the hole default for
double Arrays), not the empty JSValue. Because the Array has already been
switched to SlowPutArrayStorage, no hole-preserving branch in
operationPopulateObjectInOSR matched and the NaN fell through to
putDirectIndex, turning the hole into an own property. After a bad time, holes
must instead forward to indexed accessors on the prototype chain.

This change determines hole-ness from the indexing type the Array was sunk
with and clears the ArrayStorage vector entry for holes. It also decrements
m_numValuesInVector, which the pre-existing empty-JSValue path missed.

Tests: 
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time-double-hole.js
       
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time-int32-hole.js

* 
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time-double-hole.js:
 Added.
(cb):
(collect):
(opt):
* 
JSTests/stress/ftl-osr-exit-phantom-new-array-with-butterfly-having-a-bad-time-int32-hole.js:
 Added.
(cb):
(collect):
(opt):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):

Canonical link: https://commits.webkit.org/314248@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to