Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e638840dd2cdd52550b4078833836974c348adaa
https://github.com/WebKit/WebKit/commit/e638840dd2cdd52550b4078833836974c348adaa
Author: Yijia Huang <[email protected]>
Date: 2026-05-26 (Tue, 26 May 2026)
Changed paths:
A JSTests/stress/ftl-materialize-new-array-with-butterfly.js
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Fix GC safety for sunk contiguous array materialization in FTL
https://bugs.webkit.org/show_bug.cgi?id=310223
rdar://172827445
Reviewed by Yusuke Suzuki.
compileMaterializeNewArrayWithButterfly writes element values into a raw
butterfly before
allocating the JSArray header. For contiguous arrays the element values are GC
cell pointers,
but their last B3 use is the store64 into the butterfly. B3 backward liveness
therefore marks
them dead at that point, so they are absent from the stack when
allocateJSArray's slow path
triggers a collection — the butterfly is unowned and the GC does not trace its
contents.
Fix by collecting contiguous element values and calling ensureStillAliveHere
after
allocateJSArray. This inserts a zero-instruction patchpoint that is a formal B3
use of each
value, extending their liveness backward through the allocation slow path and
forcing them onto
the stack where the GC conservative scanner can find them.
INT32 and DOUBLE elements are not cell pointers and need no treatment.
Test: JSTests/stress/ftl-materialize-new-array-with-butterfly.js
Originally-landed-as: 305413.530@rapid/safari-7624.2.5.110-branch
(ad7a71bb3efe). rdar://176062025
Canonical link: https://commits.webkit.org/313923@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
