Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 0dbabc018f3f222e0b93def93bccb3342f707ff6
https://github.com/WebKit/WebKit/commit/0dbabc018f3f222e0b93def93bccb3342f707ff6
Author: Yijia Huang <[email protected]>
Date: 2026-03-16 (Mon, 16 Mar 2026)
Changed paths:
A JSTests/stress/ftl-osr-exit-stack-overflow-phantom-array.js
M Source/JavaScriptCore/ftl/FTLOperations.cpp
Log Message:
-----------
[JSC] Crash when PhantomNewArrayWithButterfly handles exception
https://bugs.webkit.org/show_bug.cgi?id=309232
rdar://172350200
Reviewed by Yusuke Suzuki.
When a stack overflow is caught by try/catch inside an FTL-compiled function,
the GenericUnwind OSR exit stub runs operationPopulateObjectInOSR to materialize
phantom array allocations before transferring control to the catch handler.
At this point vm.exception() is already set to the StackOverflow exception,
causing
assertNoExceptionExceptTermination() after putDirectIndex to falsely fire on the
pre-existing exception rather than a new one from putDirectIndex itself.
Fix by adding SuspendExceptionScope before the putDirectIndex loop in the
PhantomNewArrayWithButterfly case. This temporarily nullifies vm.exception() so
the assertion correctly guards only new exceptions, then restores it on scope
exit
so the catch handler can consume the original exception.
Test: JSTests/stress/ftl-osr-exit-stack-overflow-phantom-array.js
Canonical link: https://commits.webkit.org/309377@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
