Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 87b4375777a305de9beabee9d7153771ae982df7
https://github.com/WebKit/WebKit/commit/87b4375777a305de9beabee9d7153771ae982df7
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
A JSTests/stress/osr-exit-scratch-buffer-gc.js
M Source/JavaScriptCore/dfg/DFGOSRExit.cpp
M Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp
Log Message:
-----------
[JSC] Scan OSR exits' ScratchBuffers
https://bugs.webkit.org/show_bug.cgi?id=309599
rdar://172203433
Reviewed by Yijia Huang and Yusuke Suzuki.
DFG and FTL OSR exits use ScratchBuffers when shuffling the stack during the
exit itself. If the stack is overwritten, it's possible that the ScratchBuffer
becomes the sole retainer of the previously on-stack pointers. These buffers
are treated as conservative roots by the GC according to their activeLength,
which the OSR exits weren't setting. This PR fixes that by setting the
activeLength.
Test: JSTests/stress/osr-exit-scratch-buffer-gc.js
* JSTests/stress/osr-exit-scratch-buffer-gc.js: Added.
(opt):
(main):
* Source/JavaScriptCore/dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::compileExit):
* Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
Originally-landed-as: 305413.448@rapid/safari-7624.2.5.110-branch
(6c8c0aa26b94). rdar://176065320
Canonical link: https://commits.webkit.org/313732@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
