Branch: refs/heads/webkitglib/2.50 Home: https://github.com/WebKit/WebKit Commit: c29cac702a2eb1300268ca9f8db27f4b128841ab https://github.com/WebKit/WebKit/commit/c29cac702a2eb1300268ca9f8db27f4b128841ab Author: Keith Miller <keith_mil...@apple.com> Date: 2025-08-26 (Tue, 26 Aug 2025)
Changed paths: A JSTests/stress/osr-availability-heap-materialization-clobbered.js M Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp M Source/JavaScriptCore/dfg/DFGAvailabilityMap.h M Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp M Source/JavaScriptCore/dfg/DFGPutStackSinkingPhase.cpp M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp M Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp Log Message: ----------- Cherry-pick 298431@main (90aa8070e1b6). https://bugs.webkit.org/show_bug.cgi?id=291742 [JSC]ASSERTION FAILED: from.isCell() at jsCast https://bugs.webkit.org/show_bug.cgi?id=291742 rdar://149546133 Reviewed by Yusuke Suzuki. OSRAvailabilityAnalysisPhase needs to update the Availability in the heap when a local on the stack gets clobbered. If we don't then when materializing an object for OSR we could read a random value (possibly in a different format, although I'm not 100% sure) for a type confusion. ArgumentsEliminationPhase only does `computeInterference` at the head of each block. This sorta works because in most cases if a PutStack will clobber the recovery value then we'll end up escaping the candidate. Unfortunately, with the previous rules this was both overly conservative and too weak. Too weak because we could clobber the necassary local without updating Availability so we'd use the wrong value (this bug). Too conservative because the value could still be recoverable via SSA (not fixed here). * Source/JavaScriptCore/dfg/DFGAvailabilityMap.cpp: (JSC::DFG::AvailabilityMap::filterByLiveness): (JSC::DFG::AvailabilityMap::pruneByLiveness): Add a filterByLiveness that non-destructively returns an AvailabilityMap and use that to implement pruneByLiveness as that's effectively what pruneByLiveness already does. (JSC::DFG::AvailabilityMap::validateAvailability const): Add extra validation for OSR exit availability. The new checks ensure the local's perspective on what's available matches what a materialization in the heap would see too. This validation finds the bug in the test case without requiring an assert * Source/JavaScriptCore/dfg/DFGOSRAvailabilityAnalysisPhase.cpp: (JSC::DFG::OSRAvailabilityAnalysisPhase::run): (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode): Handle clobbers of the Availability for a local by walking the heap and looking for any materializations that are relying on the same machine local as the one we're clobbering. This is O(n) but that's probably fine since the materialization heap tends to be small. Originally-landed-as: 289651.482@safari-7621-branch (662148187562). rdar://157793955 Canonical link: https://commits.webkit.org/298431@main Canonical link: https://commits.webkit.org/298234.37@webkitglib/2.50 Commit: 221e405d67ede78cdf291d5c344d235709ff7916 https://github.com/WebKit/WebKit/commit/221e405d67ede78cdf291d5c344d235709ff7916 Author: Vassili Bykov <v_by...@apple.com> Date: 2025-08-26 (Tue, 26 Aug 2025) Changed paths: M Source/JavaScriptCore/wasm/WasmOperations.cpp Log Message: ----------- Cherry-pick 298432@main (778a182a97ca). https://bugs.webkit.org/show_bug.cgi?id=292705 operationJSToWasmEntryWrapperBuildReturnFrame may return early without fully initializing an array created by tryCreateUninitializedRestricted https://bugs.webkit.org/show_bug.cgi?id=292705 rdar://150360109 Reviewed by Daniel Liu and Yusuke Suzuki. The two places where the function exits on an exception are now changed to first call a function that will initialize the remained of the array with jsUndefined. Originally-landed-as: 289651.501@safari-7621-branch (8ba9671cffb6). rdar://157793833 Canonical link: https://commits.webkit.org/298432@main Canonical link: https://commits.webkit.org/298234.38@webkitglib/2.50 Commit: 6a122747826f32a8418a650e265450a51b5b4592 https://github.com/WebKit/WebKit/commit/6a122747826f32a8418a650e265450a51b5b4592 Author: Yusuke Suzuki <ysuz...@apple.com> Date: 2025-08-26 (Tue, 26 Aug 2025) Changed paths: A JSTests/wasm/stress/js-to-wasm-stackoverflow.js M Source/JavaScriptCore/llint/WebAssembly.asm M Source/JavaScriptCore/wasm/js/JSToWasm.cpp Log Message: ----------- Cherry-pick 298433@main (5708aba55c8a). https://bugs.webkit.org/show_bug.cgi?id=292593 Segmentation fault in JSC with testcase with Wasm SIMD instructions https://bugs.webkit.org/show_bug.cgi?id=292593 rdar://150748445 Reviewed by Keith Miller and Daniel Liu. When using throwing-from-wasm, 1. Callee needs to be wasm callee. In this case, we should store JSEntrypointCallee. 2. We should not restore callee saves. By setting (1), unwinding will do that for us by using JSEntrypointCallee's callee save information. * JSTests/wasm/stress/js-to-wasm-stackoverflow.js: Added. (F1): * Source/JavaScriptCore/llint/WebAssembly.asm: * Source/JavaScriptCore/wasm/js/JSToWasm.cpp: (JSC::Wasm::createJSToWasmJITShared): Originally-landed-as: 289651.503@safari-7621-branch (e473f4ac0618). rdar://157793590 Canonical link: https://commits.webkit.org/298433@main Canonical link: https://commits.webkit.org/298234.39@webkitglib/2.50 Commit: 2a8cf4a31194d970c8d3ebe06b0619120acf8c62 https://github.com/WebKit/WebKit/commit/2a8cf4a31194d970c8d3ebe06b0619120acf8c62 Author: Yijia Huang <yijia_hu...@apple.com> Date: 2025-08-26 (Tue, 26 Aug 2025) Changed paths: A JSTests/stress/instanceof-get-by-status-for-prototype-from-llint.js M Source/JavaScriptCore/bytecode/GetByStatus.cpp Log Message: ----------- Cherry-pick 298434@main (7c717467e675). https://bugs.webkit.org/show_bug.cgi?id=292886 [JSC] Fix incorrect identifier in GetByStatus for fused instanceof https://bugs.webkit.org/show_bug.cgi?id=292886 rdar://151178966 Reviewed by Yusuke Suzuki. The fused instanceof bytecode uses GetByStatus to optimize property access for prototype lookup. Previously, it incorrectly mapped the getPrototype checkpoint to the "value" property instead of "prototype". This patch corrects the identifier to vm.propertyNames->prototype. * JSTests/stress/instanceof-get-by-status-for-prototype-from-llint.js: Added. (mod6): (require_x_is_array.__commonJS.): (__copyProps.get return): (__copyProps): * Source/JavaScriptCore/bytecode/GetByStatus.cpp: (JSC::GetByStatus::computeFromLLInt): Originally-landed-as: 289651.507@safari-7621-branch (d318c79f1dca). rdar://157793116 Canonical link: https://commits.webkit.org/298434@main Canonical link: https://commits.webkit.org/298234.40@webkitglib/2.50 Commit: 7530bd6041ef7cf470b170890f9403d57d0691b7 https://github.com/WebKit/WebKit/commit/7530bd6041ef7cf470b170890f9403d57d0691b7 Author: Daniel Liu <danl...@umich.edu> Date: 2025-08-26 (Tue, 26 Aug 2025) Changed paths: M Source/WebCore/bindings/js/SerializedScriptValue.cpp Log Message: ----------- Cherry-pick 298435@main (e2c683712318). https://bugs.webkit.org/show_bug.cgi?id=292783 Fix more missing exception checks in SerializedScriptValue https://bugs.webkit.org/show_bug.cgi?id=292783 rdar://150766136 Reviewed by Yusuke Suzuki. The deserializer fuzzer has found more missing exception checks. * Source/WebCore/bindings/js/SerializedScriptValue.cpp: (WebCore::CloneDeserializer::startVisitNamedMember): (WebCore::CloneDeserializer::objectEndVisitNamedMember): (WebCore::CloneDeserializer::deserialize): (WebCore::SerializedScriptValue::deserialize): Originally-landed-as: 289651.508@safari-7621-branch (21c2ff503451). rdar://157792930 Canonical link: https://commits.webkit.org/298435@main Canonical link: https://commits.webkit.org/298234.41@webkitglib/2.50 Compare: https://github.com/WebKit/WebKit/compare/a04f6b19ff6e...7530bd6041ef To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes