[webkit-changes] [WebKit/WebKit] 1cdc54: Fix baseline write barrier handling in OpDelBy{Id,...

Tue, 02 Jun 2026 10:57:41 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1cdc540e6ebee5192b5b5d4fc0202b8bfd37eece
      
https://github.com/WebKit/WebKit/commit/1cdc540e6ebee5192b5b5d4fc0202b8bfd37eece
  Author: Anand Srinivasan <[email protected]>
  Date:   2026-06-02 (Tue, 02 Jun 2026)

  Changed paths:
    A JSTests/stress/baseline-op-del-by-id-write-barrier.js
    A JSTests/stress/baseline-op-del-by-val-write-barrier.js
    M Source/JavaScriptCore/jit/BaselineJITRegisters.h
    M Source/JavaScriptCore/jit/JIT.h
    M Source/JavaScriptCore/jit/JITPropertyAccess.cpp

  Log Message:
  -----------
  Fix baseline write barrier handling in OpDelBy{Id,Val}
https://bugs.webkit.org/show_bug.cgi?id=310139
rdar://172299872

Reviewed by Yusuke Suzuki.

In the baseline implementation of OpDelById, code like `o = delete o.x` can
overwrite the pointer to object o with a boolean value before the write
barrier, meaning the barrier is wrongly invoked on the boolean instead of
the original object. Same problem with OpDelByVal, which can be
replicated with `o = delete o["x"]`.

Tests: JSTests/stress/baseline-op-del-by-id-write-barrier.js
       JSTests/stress/baseline-op-del-by-val-write-barrier.js

* JSTests/stress/baseline-op-del-by-id-write-barrier.js: Added.
(main):
* JSTests/stress/baseline-op-del-by-val-write-barrier.js: Added.
(main):
* Source/JavaScriptCore/jit/BaselineJITRegisters.h:
* Source/JavaScriptCore/jit/JIT.h:
* Source/JavaScriptCore/jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_del_by_id):
(JSC::JIT::emit_op_del_by_val):
(JSC::JIT::emitWriteBarrier):

Originally-landed-as: 305413.540@rapid/safari-7624.2.5.110-branch 
(7c715b4eeda1). rdar://176061249
Canonical link: https://commits.webkit.org/314381@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications

Reply via email to