Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 289a55e3913bd4347d997fb7ed143d9a51baab30
https://github.com/WebKit/WebKit/commit/289a55e3913bd4347d997fb7ed143d9a51baab30
Author: Shu-yu Guo <[email protected]>
Date: 2026-04-24 (Fri, 24 Apr 2026)
Changed paths:
A JSTests/stress/array-allocation-sink-double-hole-inline-materialization.js
A JSTests/stress/array-allocation-sink-double-hole-osr-exit.js
A JSTests/stress/array-allocation-sink-double-nan-not-hole.js
M Source/JavaScriptCore/ftl/FTLOperations.cpp
Log Message:
-----------
[JSC] Fix hole-handling when rematerializing sunk double arrays
https://bugs.webkit.org/show_bug.cgi?id=312664
rdar://175064220
Reviewed by Keith Miller and Yijia Huang.
A double JS Array uses PNaN to represent holes. If such an array were sunk and
has holes, the PNaN can be boxed into a NaN JSValue if it flows into a Phi.
This manifests as an incorrect rematerialization where a hole appears as NaN.
This PR fixes it by special casing NaNs and directly writing the PNaN hole
value during rematerialization. This is safe to do as NaN element values that
appear during rematerialization are never user-visible. Further, the
non-rematerialization inline FTL paths are not affected as the Phis from sunk
array elements do not flow into user-visible results.
Tests:
JSTests/stress/array-allocation-sink-double-hole-inline-materialization.js
JSTests/stress/array-allocation-sink-double-hole-osr-exit.js
JSTests/stress/array-allocation-sink-double-nan-not-hole.js
* JSTests/stress/array-allocation-sink-double-hole-inline-materialization.js:
Added.
(test):
* JSTests/stress/array-allocation-sink-double-hole-osr-exit.js: Added.
* JSTests/stress/array-allocation-sink-double-nan-not-hole.js: Added.
(makeNaN):
* Source/JavaScriptCore/ftl/FTLOperations.cpp:
(JSC::FTL::JSC_DEFINE_NOEXCEPT_JIT_OPERATION):
Canonical link: https://commits.webkit.org/311962@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
