Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: f5b52841f6b58d89da360e1b98b50190d6ae0bcb
https://github.com/WebKit/WebKit/commit/f5b52841f6b58d89da360e1b98b50190d6ae0bcb
Author: Anand Srinivasan <[email protected]>
Date: 2026-04-07 (Tue, 07 Apr 2026)
Changed paths:
A JSTests/stress/validate-does-gc-heap-bigint-compare-watchdog.js
M Source/JavaScriptCore/dfg/DFGDoesGCCheck.cpp
M Source/JavaScriptCore/dfg/DFGDoesGCCheck.h
M Source/JavaScriptCore/runtime/VM.cpp
Log Message:
-----------
Reset doesGC expectation upon VM termination to avoid stale assertion
https://bugs.webkit.org/show_bug.cgi?id=311229
rdar://172191300
Reviewed by Yusuke Suzuki.
If the VM terminates in the middle of DFG/FTL JIT code, right now
m_doesGC contains the value corresponding to the last node executed. If
this happens, the next time a thread tries to acquire a JSLock it will
read the stale value in m_doesGC and potentially crash. OSR exits from
JIT code already reset the value to true, so throwTerminationException
should do the same thing.
Test: JSTests/stress/validate-does-gc-heap-bigint-compare-watchdog.js
* JSTests/stress/validate-does-gc-heap-bigint-compare-watchdog.js: Added.
(vm.useJIT):
* Source/JavaScriptCore/dfg/DFGDoesGCCheck.cpp:
(JSC::DFG::DoesGCCheck::verifyCanGC):
* Source/JavaScriptCore/dfg/DFGDoesGCCheck.h:
* Source/JavaScriptCore/runtime/VM.cpp:
(JSC::VM::throwTerminationException):
Canonical link: https://commits.webkit.org/310722@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
