Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 5e11f74dc4967e0165fe825134a4a5d7583dc3e0
https://github.com/WebKit/WebKit/commit/5e11f74dc4967e0165fe825134a4a5d7583dc3e0
Author: Sosuke Suzuki <[email protected]>
Date: 2026-05-04 (Mon, 04 May 2026)
Changed paths:
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Call `ensureStillAliveHere` after `vmCall` in FTL
`ArrayIndexOf`/`Includes`
https://bugs.webkit.org/show_bug.cgi?id=314010
Reviewed by Keith Miller.
In the UntypedUse + Array::Contiguous path, ensureStillAliveHere(base) was
placed before the vmCall, so B3 could drop base across the call.
operationArray{IndexOf,Includes}ValueInt32OrContiguous may resolve rope
strings in the array and trigger GC; the butterfly is pinned via the
argument register but its contents are only marked through
JSObject::visitChildren(base). Move ensureStillAliveHere after the call,
matching the StringUse path.
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOfOrArrayIncludes):
Canonical link: https://commits.webkit.org/312553@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
