Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 16691925cfca581fb9e9952a9c6f23ca09be87e7
https://github.com/WebKit/WebKit/commit/16691925cfca581fb9e9952a9c6f23ca09be87e7
Author: Keith Miller <[email protected]>
Date: 2026-03-17 (Tue, 17 Mar 2026)
Changed paths:
A JSTests/stress/array-allocation-sink-conditional-write-osr.js
A JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
A JSTests/stress/array-sink-materialize-conditional-write.js
M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
Cherry-pick 300888@main (934b1e28a87a).
https://bugs.webkit.org/show_bug.cgi?id=299956
Conditional writes are incorrectly handled in Array allocation sinking
https://bugs.webkit.org/show_bug.cgi?id=299956
rdar://161681941
Reviewed by Yusuke Suzuki and Yijia Huang.
The current bottom value in ObjectAllocationSinking is incorrect for arrays.
Unlike with objects, which track conditional stores by passing the active
structure through SSA, arrays can't do this. Instead we should set default
value
to the appropriate hole value for the given IndexingShape. To make this work
I had to fix some Phi/Upsilon ResultFormat bugs since they previously
assumed
everything would be a JSValue.
Also, add ASSERT to FTL lowering that the Phi/Upsilon formats match. I
spent 1/2 a day
trying to understand why I was getting zero, when the issue was those
values disagreed
and I was getting the default zero value.
Tests: JSTests/stress/array-allocation-sink-conditional-write-osr.js
JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
JSTests/stress/array-sink-materialize-conditional-write.js
Canonical link: https://commits.webkit.org/300888@main
Canonical link: https://commits.webkit.org/298234.503@webkitglib/2.50
Commit: c907888b114469eeabd78c2288d06e4e8749a438
https://github.com/WebKit/WebKit/commit/c907888b114469eeabd78c2288d06e4e8749a438
Author: Keith Miller <[email protected]>
Date: 2026-03-17 (Tue, 17 Mar 2026)
Changed paths:
A JSTests/stress/array-osr-exit-materialize-hole.js
M Source/JavaScriptCore/ftl/FTLOperations.cpp
M Source/JavaScriptCore/runtime/ArrayPrototype.cpp
M Source/JavaScriptCore/runtime/Butterfly.h
M Source/JavaScriptCore/runtime/ButterflyInlines.h
M Source/JavaScriptCore/runtime/JSArray.cpp
M Source/JavaScriptCore/runtime/JSArray.h
Log Message:
-----------
Cherry-pick 300709@main (5c7aadfa0a96).
https://bugs.webkit.org/show_bug.cgi?id=299761
operationMaterializeObjectInOSR needs to initialize Butterflies it creates.
https://bugs.webkit.org/show_bug.cgi?id=299761
rdar://161317599
Reviewed by Mark Lam and Yusuke Suzuki.
Butterfly::tryCreate does *not* initialize the indexed storage it creates.
Thus when OSR exiting with a sunk Array allocation any holes in the array
were
not filled and left uninitialized.
Test: JSTests/stress/array-osr-exit-materialize-hole.js
Canonical link: https://commits.webkit.org/300709@main
Canonical link: https://commits.webkit.org/298234.504@webkitglib/2.50
Compare: https://github.com/WebKit/WebKit/compare/6966486a92d9...c907888b1144
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
