Branch: refs/heads/webkitglib/2.50
  Home:   https://github.com/WebKit/WebKit
  Commit: c29cac702a2eb1300268ca9f8db27f4b128841ab
      
https://github.com/WebKit/WebKit/commit/c29cac702a2eb1300268ca9f8db27f4b128841ab
  Author: Keith Miller <keith_mil...@apple.com>
  Date:   2025-08-26 (Tue, 26 Aug 2025)

  Changed paths:
    A JSTests/stress/osr-availability-heap-materialization-clobbered.js
    M Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp
    M Source/JavaScriptCore/dfg/DFGAvailabilityMap.h
    M Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPutStackSinkingPhase.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp

  Log Message:
  -----------
  Cherry-pick 298431@main (90aa8070e1b6). 
https://bugs.webkit.org/show_bug.cgi?id=291742

    [JSC]ASSERTION FAILED: from.isCell() at jsCast
    https://bugs.webkit.org/show_bug.cgi?id=291742
    rdar://149546133

    Reviewed by Yusuke Suzuki.

    OSRAvailabilityAnalysisPhase needs to update the Availability in the heap 
when a local on
    the stack gets clobbered. If we don't then when materializing an object for 
OSR we could
    read a random value (possibly in a different format, although I'm not 100% 
sure) for a
    type confusion. ArgumentsEliminationPhase only does `computeInterference` 
at the head of
    each block. This sorta works because in most cases if a PutStack will 
clobber the recovery
    value then we'll end up escaping the candidate. Unfortunately, with the 
previous rules
    this was both overly conservative and too weak. Too weak because we could 
clobber the
    necassary local without updating Availability so we'd use the wrong value 
(this bug).
    Too conservative because the value could still be recoverable via SSA (not 
fixed here).

    * Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp:
    (JSC::DFG::AvailabilityMap::filterByLiveness):
    (JSC::DFG::AvailabilityMap::pruneByLiveness):
        Add a filterByLiveness that non-destructively returns an 
AvailabilityMap and use that
        to implement pruneByLiveness as that's effectively what pruneByLiveness 
already does.

    (JSC::DFG::AvailabilityMap::validateAvailability const):
        Add extra validation for OSR exit availability. The new checks ensure 
the local's
        perspective on what's available matches what a materialization in the 
heap would
        see too. This validation finds the bug in the test case without 
requiring an assert

    * Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
    (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
    (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
        Handle clobbers of the Availability for a local by walking the heap and 
looking for
        any materializations that are relying on the same machine local as the 
one we're
        clobbering. This is O(n) but that's probably fine since the 
materialization heap
        tends to be small.

    Originally-landed-as: 289651.482@safari-7621-branch (662148187562). 
rdar://157793955
    Canonical link: https://commits.webkit.org/298431@main

Canonical link: https://commits.webkit.org/298234.37@webkitglib/2.50


  Commit: 221e405d67ede78cdf291d5c344d235709ff7916
      
https://github.com/WebKit/WebKit/commit/221e405d67ede78cdf291d5c344d235709ff7916
  Author: Vassili Bykov <v_by...@apple.com>
  Date:   2025-08-26 (Tue, 26 Aug 2025)

  Changed paths:
    M Source/JavaScriptCore/wasm/WasmOperations.cpp

  Log Message:
  -----------
  Cherry-pick 298432@main (778a182a97ca). 
https://bugs.webkit.org/show_bug.cgi?id=292705

    operationJSToWasmEntryWrapperBuildReturnFrame may return early without 
fully initializing an array created by tryCreateUninitializedRestricted
    https://bugs.webkit.org/show_bug.cgi?id=292705
    rdar://150360109

    Reviewed by Daniel Liu and Yusuke Suzuki.

    The two places where the function exits on an exception are now changed to 
first call a function
    that will initialize the remained of the array with jsUndefined.

    Originally-landed-as: 289651.501@safari-7621-branch (8ba9671cffb6). 
rdar://157793833
    Canonical link: https://commits.webkit.org/298432@main

Canonical link: https://commits.webkit.org/298234.38@webkitglib/2.50


  Commit: 6a122747826f32a8418a650e265450a51b5b4592
      
https://github.com/WebKit/WebKit/commit/6a122747826f32a8418a650e265450a51b5b4592
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2025-08-26 (Tue, 26 Aug 2025)

  Changed paths:
    A JSTests/wasm/stress/js-to-wasm-stackoverflow.js
    M Source/JavaScriptCore/llint/WebAssembly.asm
    M Source/JavaScriptCore/wasm/js/JSToWasm.cpp

  Log Message:
  -----------
  Cherry-pick 298433@main (5708aba55c8a). 
https://bugs.webkit.org/show_bug.cgi?id=292593

    Segmentation fault in JSC with testcase with Wasm SIMD instructions
    https://bugs.webkit.org/show_bug.cgi?id=292593
    rdar://150748445

    Reviewed by Keith Miller and Daniel Liu.

    When using throwing-from-wasm,

    1. Callee needs to be wasm callee. In this case, we should store
       JSEntrypointCallee.
    2. We should not restore callee saves. By setting (1), unwinding will do
       that for us by using JSEntrypointCallee's callee save information.

    * JSTests/wasm/stress/js-to-wasm-stackoverflow.js: Added.
    (F1):
    * Source/JavaScriptCore/llint/WebAssembly.asm:
    * Source/JavaScriptCore/wasm/js/JSToWasm.cpp:
    (JSC::Wasm::createJSToWasmJITShared):

    Originally-landed-as: 289651.503@safari-7621-branch (e473f4ac0618). 
rdar://157793590
    Canonical link: https://commits.webkit.org/298433@main

Canonical link: https://commits.webkit.org/298234.39@webkitglib/2.50


  Commit: 2a8cf4a31194d970c8d3ebe06b0619120acf8c62
      
https://github.com/WebKit/WebKit/commit/2a8cf4a31194d970c8d3ebe06b0619120acf8c62
  Author: Yijia Huang <yijia_hu...@apple.com>
  Date:   2025-08-26 (Tue, 26 Aug 2025)

  Changed paths:
    A JSTests/stress/instanceof-get-by-status-for-prototype-from-llint.js
    M Source/JavaScriptCore/bytecode/GetByStatus.cpp

  Log Message:
  -----------
  Cherry-pick 298434@main (7c717467e675). 
https://bugs.webkit.org/show_bug.cgi?id=292886

    [JSC] Fix incorrect identifier in GetByStatus for fused instanceof
    https://bugs.webkit.org/show_bug.cgi?id=292886
    rdar://151178966

    Reviewed by Yusuke Suzuki.

    The fused instanceof bytecode uses GetByStatus to optimize property access
    for prototype lookup. Previously, it incorrectly mapped the getPrototype
    checkpoint to the "value" property instead of "prototype". This patch 
corrects
    the identifier to vm.propertyNames->prototype.

    * JSTests/stress/instanceof-get-by-status-for-prototype-from-llint.js: 
Added.
    (mod6):
    (require_x_is_array.__commonJS.):
    (__copyProps.get return):
    (__copyProps):
    * Source/JavaScriptCore/bytecode/GetByStatus.cpp:
    (JSC::GetByStatus::computeFromLLInt):

    Originally-landed-as: 289651.507@safari-7621-branch (d318c79f1dca). 
rdar://157793116
    Canonical link: https://commits.webkit.org/298434@main

Canonical link: https://commits.webkit.org/298234.40@webkitglib/2.50


  Commit: 7530bd6041ef7cf470b170890f9403d57d0691b7
      
https://github.com/WebKit/WebKit/commit/7530bd6041ef7cf470b170890f9403d57d0691b7
  Author: Daniel Liu <danl...@umich.edu>
  Date:   2025-08-26 (Tue, 26 Aug 2025)

  Changed paths:
    M Source/WebCore/bindings/js/SerializedScriptValue.cpp

  Log Message:
  -----------
  Cherry-pick 298435@main (e2c683712318). 
https://bugs.webkit.org/show_bug.cgi?id=292783

    Fix more missing exception checks in SerializedScriptValue
    https://bugs.webkit.org/show_bug.cgi?id=292783
    rdar://150766136

    Reviewed by Yusuke Suzuki.

    The deserializer fuzzer has found more missing exception checks.

    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneDeserializer::startVisitNamedMember):
    (WebCore::CloneDeserializer::objectEndVisitNamedMember):
    (WebCore::CloneDeserializer::deserialize):
    (WebCore::SerializedScriptValue::deserialize):

    Originally-landed-as: 289651.508@safari-7621-branch (21c2ff503451). 
rdar://157792930
    Canonical link: https://commits.webkit.org/298435@main

Canonical link: https://commits.webkit.org/298234.41@webkitglib/2.50


Compare: https://github.com/WebKit/WebKit/compare/a04f6b19ff6e...7530bd6041ef

To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to