Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cdfa73fdc391180a7fe3b00eb01dd1d2b410956a
https://github.com/WebKit/WebKit/commit/cdfa73fdc391180a7fe3b00eb01dd1d2b410956a
Author: Kai Tamkun <[email protected]>
Date: 2026-05-29 (Fri, 29 May 2026)
Changed paths:
A JSTests/stress/regress-168411205.js
M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
M Source/JavaScriptCore/dfg/DFGValidate.cpp
Log Message:
-----------
[JSC] DFG object allocation sinking shouldn't insert a check when given a
PutByVal node
https://bugs.webkit.org/show_bug.cgi?id=305732
rdar://168411205
Reviewed by Yijia Huang.
The if statement that this change removes was originally added as a fix
for an old, now-replaced array allocation sinking method. Now, it runs
the risk of invalidating the DFG graph. Because it doesn't otherwise
serve any purpose now, it should just be removed.
Test: JSTests/stress/regress-168411205.js
* JSTests/stress/regress-168411205.js: Added.
(f):
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp: Remove special
case for PutByVal
* Source/JavaScriptCore/dfg/DFGValidate.cpp:
Originally-landed-as: 305413.542@rapid/safari-7624.2.5.110-branch
(5fbe988916b7). rdar://176061619
Canonical link: https://commits.webkit.org/314144@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
