[webkit-changes] [WebKit/WebKit] bef9d7: Array allocation sinking materialize needs to work...

Tue, 02 Dec 2025 12:26:24 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: bef9d709cd1cb2be8826da4937546b37d22ed011
      
https://github.com/WebKit/WebKit/commit/bef9d709cd1cb2be8826da4937546b37d22ed011
  Author: Keith Miller <[email protected]>
  Date:   2025-11-20 (Thu, 20 Nov 2025)

  Changed paths:
    A JSTests/stress/array-sink-materialize-cycle-break-in-exit-invalid.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGCSEPhase.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGCloneHelper.h
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGMayExit.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
    M Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Array allocation sinking materialize needs to work without exitOK
https://bugs.webkit.org/show_bug.cgi?id=302747
rdar://164644155

Reviewed by Justin Michaud and Yusuke Suzuki.

Right now we can fail validation when ObjectAllocationSinking ends up
materializing an Array at an exit invalid node. This is because the
PutByVal we used reports that it could exit in mayExit. This is really
a false positive because we can never store out of bounds and the edges
should already be checked.

This patch makes PutByValAlias report that it does not exit (unless
an edge speculation would fail or for TypeArrays) no longer report that
it exits to work around this. It is already the case that PutByValAlias
does not exit (except for TypedArrays although that could be fixed).

To clarify this new use with ObjectAllocationSinking PutByValAlias
has also been renamed to PutByValDirectResolved.

Test: JSTests/stress/array-sink-materialize-cycle-break-in-exit-invalid.js
Canonical link: https://commits.webkit.org/303353@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to