Branch: refs/heads/webkitglib/2.50
Home: https://github.com/WebKit/WebKit
Commit: 63348060637c0eb57f14e63497e350f2e46275af
https://github.com/WebKit/WebKit/commit/63348060637c0eb57f14e63497e350f2e46275af
Author: Yijia Huang <[email protected]>
Date: 2026-03-17 (Tue, 17 Mar 2026)
Changed paths:
A JSTests/stress/ftl-osr-exit-stack-overflow-phantom-array.js
M Source/JavaScriptCore/ftl/FTLOperations.cpp
Log Message:
-----------
Cherry-pick 309377@main (0dbabc018f3f).
https://bugs.webkit.org/show_bug.cgi?id=309232
[JSC] Crash when PhantomNewArrayWithButterfly handles exception
https://bugs.webkit.org/show_bug.cgi?id=309232
rdar://172350200
Reviewed by Yusuke Suzuki.
When a stack overflow is caught by try/catch inside an FTL-compiled
function,
the GenericUnwind OSR exit stub runs operationPopulateObjectInOSR to
materialize
phantom array allocations before transferring control to the catch handler.
At this point vm.exception() is already set to the StackOverflow exception,
causing
assertNoExceptionExceptTermination() after putDirectIndex to falsely fire
on the
pre-existing exception rather than a new one from putDirectIndex itself.
Fix by adding SuspendExceptionScope before the putDirectIndex loop in the
PhantomNewArrayWithButterfly case. This temporarily nullifies
vm.exception() so
the assertion correctly guards only new exceptions, then restores it on
scope exit
so the catch handler can consume the original exception.
Test: JSTests/stress/ftl-osr-exit-stack-overflow-phantom-array.js
Canonical link: https://commits.webkit.org/309377@main
Canonical link: https://commits.webkit.org/298234.505@webkitglib/2.50
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
