Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 74854431b5e558e19bc772cfbbef92e5fd54fbaa
https://github.com/WebKit/WebKit/commit/74854431b5e558e19bc772cfbbef92e5fd54fbaa
Author: Yijia Huang <[email protected]>
Date: 2025-03-29 (Sat, 29 Mar 2025)
Changed paths:
A JSTests/stress/array-allocation-sink-2.js
A JSTests/stress/array-allocation-sink-3.js
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGValidate.cpp
Log Message:
-----------
[JSC] Fix incorrect exit state handling during array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=290587
rdar://148062353
Reviewed by Yusuke Suzuki.
Fixes an issue in the DFG Object Allocation Sinking phase where insertion order
of nodes
after PutByVal could lead to inconsistent exit state assumptions. Specifically,
a Check
node inserted after a PutHint caused validation to fail because both clobber
exit state
and no ExitOK was emitted in between. This patch moves the Check node before
the PutHint
to maintain consistent clobbering assumptions and preserve validation
correctness.
Also adds special-case validation for GetButterfly nodes referencing phantom
allocations,
which are expected to be cleaned up in later phases.
This ensures DFG validation passes cleanly and maintains correctness during OSR
exit
handling in optimized array materializations.
* JSTests/stress/array-allocation-sink-2.js: Added.
* JSTests/stress/array-allocation-sink-3.js: Added.
(assert):
(run):
(assert.test):
(run.test):
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGValidate.cpp:
Canonical link: https://commits.webkit.org/292900@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
