[webkit-changes] [WebKit/WebKit] 66f509: [JSC] Handle jettison during compilation finalizat...

Wed, 25 Feb 2026 18:55:25 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 66f509e2dccd7bdd2eb177f16d3ed87383143aba
      
https://github.com/WebKit/WebKit/commit/66f509e2dccd7bdd2eb177f16d3ed87383143aba
  Author: Yijia Huang <[email protected]>
  Date:   2026-02-25 (Wed, 25 Feb 2026)

  Changed paths:
    M Source/JavaScriptCore/bytecode/CodeBlock.cpp

  Log Message:
  -----------
  [JSC] Handle jettison during compilation finalization for DFG quick tier up
rdar://171122738
https://bugs.webkit.org/show_bug.cgi?id=308598

Reviewed by Mark Lam.

Remove incorrect assertion and handle the case where watchpoints fire
during DFG compilation finalization, before code installation completes.

Under memory pressure, ArrayBufferViewWatchpointAdaptor::add() can fail
to allocate an ArrayBuffer (via slowDownAndWasteMemory()) and immediately
fire the watchpoint. This triggers jettison while the quick tier-up flag
is still Indeterminate, before didInstallDFGCode() is called.

The sequence:
operationOptimize() -> Plan::finalize() -> reallyAdd()
-> ArrayBuffer::tryCreate() fails (OOM)
-> watchpoint.fire(JettisonDueToUnprofiledWatchpoint)
-> didDFGJettison() called with flag = Indeterminate

The fix only updates the flag if it was already set (True -> False),
which represents real speculation failure after code execution. If the
flag is Indeterminate, leave it unchanged - the jettison was due to
environmental factors (OOM, GC pressure) during compilation, not code
quality issues. The function deserves a fair retry without penalty.

State transitions:
Indeterminate -> True:          didInstallDFGCode() (successful install)
Indeterminate -> False:         didFailDFGCompilation() (compilation failed)
True -> False:                  didDFGJettison() (post-install speculation 
failure)
Indeterminate -> Indeterminate: didDFGJettison() (environmental issue)

This issue is exposed by the stress test [1] under memory pressure.

Test:
[1] stress/array-buffer-view-watchpoint-can-be-fired-in-really-add-in-dfg.js

Canonical link: https://commits.webkit.org/308249@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to