Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5980a4242cc7c060f5f3367eaac2a6480d17eb76
https://github.com/WebKit/WebKit/commit/5980a4242cc7c060f5f3367eaac2a6480d17eb76
Author: Yusuke Suzuki <[email protected]>
Date: 2026-03-06 (Fri, 06 Mar 2026)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/debugger/DebuggerScope.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.cpp
M Source/JavaScriptCore/runtime/JSGlobalObject.h
M Source/JavaScriptCore/runtime/SymbolTable.cpp
M Source/JavaScriptCore/runtime/SymbolTable.h
Log Message:
-----------
[JSC] Cloned SymbolTable needs to be cached per JSGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=309335
rdar://171878104
Reviewed by Keith Miller.
We observed a failure JSTests/wasm/stress/bbq-parallel-move.js.
The reason is CodeBlock jettisoning. The DFG JIT incorrectly
constant-folds a captured let variable (log) in a closure. The
variable is reassigned in a loop (log = []), but DFG treats it
as constant because the WatchpointSet it observes is never invalidated.
The cause of this issue is that SymbolTable::cloneScopePart()
creates new SymbolTableEntry objects (slim, no WatchpointSet)
instead of copying them. When a CodeBlock is jettisoned and
re-created (common with eager jettison timing + async/await),
the new CodeBlock gets a fresh clone with a fresh WatchpointSet.
The op_put_to_scope in the new CodeBlock fires the new WatchpointSet,
but the live JSLexicalEnvironment still references the old clone's
WatchpointSet (which remains IsWatched). DFG reads the old clone
from the environment, sees IsWatched, and incorrectly constant-folds.
The right fix is we should use the same SymbolTable even when CodeBlock
is recreated per JSGlobalObject. So this patch creates WeakGCMap cache
in JSGlobalObject which dedupes cloned SymbolTable so long as cloned one
is still alive.
We also remove rareDataCodeBlock as SymbolTable and CodeBlock are not
one-on-one anymore.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::setConstantRegisters):
* Source/JavaScriptCore/debugger/DebuggerScope.cpp:
(JSC::DebuggerScope::name const):
(JSC::DebuggerScope::location const):
* Source/JavaScriptCore/runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::JSGlobalObject):
* Source/JavaScriptCore/runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::symbolTableCache):
* Source/JavaScriptCore/runtime/SymbolTable.cpp:
(JSC::SymbolTable::visitChildrenImpl):
(JSC::SymbolTable::cloneScopePart):
(JSC::SymbolTable::inferredName):
(JSC::SymbolTable::debuggerLocation):
(JSC::SymbolTable::collectDebuggerInfo):
(JSC::SymbolTable::rareDataCodeBlock): Deleted.
(JSC::SymbolTable::setRareDataCodeBlock):
* Source/JavaScriptCore/runtime/SymbolTable.h:
Canonical link: https://commits.webkit.org/308812@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
