Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 7429d22f2bfd5274ea68c3d9b3dadf74ca5646b4
https://github.com/WebKit/WebKit/commit/7429d22f2bfd5274ea68c3d9b3dadf74ca5646b4
Author: Shu-yu Guo <[email protected]>
Date: 2026-05-20 (Wed, 20 May 2026)
Changed paths:
A JSTests/stress/array-sort-inline-isnan-comparator-cps.js
M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Log Message:
-----------
[JSC] Fix DFG CPS validation for inlined sort comparator
https://bugs.webkit.org/show_bug.cgi?id=315144
rdar://177411241
Reviewed by Yusuke Suzuki.
312983@main introduced inlining of Array.p.sort, including comparators. When
side exiting, this restarts the entire sort call. There is a bug where, when
inlining the comparator, the SetLocal queue is flushed _before_ emitting an
ExitOK, which can cause a node to be hoisted above its producer, tripping the
DFG CPS validation.
This PR emits ExitOK before flushing the SetLocal queue.
Test: JSTests/stress/array-sort-inline-isnan-comparator-cps.js
* JSTests/stress/array-sort-inline-isnan-comparator-cps.js: Added.
(opt.process.toDict):
(opt):
(opt.try.):
(catch):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleArraySort):
Canonical link: https://commits.webkit.org/313579@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
