Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 473103340befba3c0e5b0facbc32d9fda14c6fd9
https://github.com/WebKit/WebKit/commit/473103340befba3c0e5b0facbc32d9fda14c6fd9
Author: Shu-yu Guo <[email protected]>
Date: 2026-04-13 (Mon, 13 Apr 2026)
Changed paths:
A
JSTests/stress/resizable-typed-array-non-string-primitive-key-transition.js
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
Log Message:
-----------
[JSC] Fix PutByVal non-string primitive key IC handler losing IndexingHeader
https://bugs.webkit.org/show_bug.cgi?id=311907
rdar://174471487
Reviewed by Yusuke Suzuki.
310410@main added PutByVal ICs with non-string primitive keys (undefined, null,
true, false). There is a bug where the inline allocating handler is used when
the receiver has an IndexingHeader. This inline allocation handler zero-fills
the new butterfly but doesn't copy the old IndexingHeader, which is used for
ArrayBuffer views. Subsequent indexed accesses become incorrect as a bogus
zeroed/scribbled IndexingHeader is dereferenced.
Fix by adding putByValNonStringPrimitiveKeyTransitionOutOfLineHandlerImpl,
which calls operationReallocateButterflyAndTransition and handles hte
IndexingHeader cases. This parallels the structure of the string-key
handlers, where putByValTransitionHandlerImpl handles the inline allocation
case and putByValTransitionOutOfLineHandlerImpl handles the out-of-line case
for objects with IndexingHeaders.
Test:
JSTests/stress/resizable-typed-array-non-string-primitive-key-transition.js
* JSTests/stress/resizable-typed-array-non-string-primitive-key-transition.js:
Added.
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::putByValNonStringPrimitiveKeyTransitionOutOfLineHandlerImpl):
Canonical link: https://commits.webkit.org/311164@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
