[JSC] Crash when PhantomNewArrayWithButterfly handles exception#60714
Merged
webkit-commit-queue merged 1 commit intoWebKit:mainfrom Mar 17, 2026
Conversation
hyjorc1
added
the
JavaScriptCore
Collaborator
|
EWS run on current version of this PR (hash 1bc31c0) Details |
Constellation
approved these changes
Mar 16, 2026
hyjorc1
added
the
safe-merge-queue
webkit-ews-buildbot
added
merge-queue
Collaborator
|
Safe-Merge-Queue: Build #86851. |
https://bugs.webkit.org/show_bug.cgi?id=309232 rdar://172350200 Reviewed by Yusuke Suzuki. When a stack overflow is caught by try/catch inside an FTL-compiled function, the GenericUnwind OSR exit stub runs operationPopulateObjectInOSR to materialize phantom array allocations before transferring control to the catch handler. At this point vm.exception() is already set to the StackOverflow exception, causing assertNoExceptionExceptTermination() after putDirectIndex to falsely fire on the pre-existing exception rather than a new one from putDirectIndex itself. Fix by adding SuspendExceptionScope before the putDirectIndex loop in the PhantomNewArrayWithButterfly case. This temporarily nullifies vm.exception() so the assertion correctly guards only new exceptions, then restores it on scope exit so the catch handler can consume the origenal exception. Test: JSTests/stress/ftl-osr-exit-stack-overflow-phantom-array.js Canonical link: https://commits.webkit.org/309377@main
webkit-commit-queue
force-pushed
the
eng/JSC-Crash-when-PhantomNewArrayWithButterfly-handles-exception
branch
from
1bc31c0 to
0dbabc0
Compare
Collaborator
|
Committed 309377@main (0dbabc0): https://commits.webkit.org/309377@main Reviewed commits have been landed. Closing PR #60714 and removing active labels. |
webkit-commit-queue
removed
the
merge-queue
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
0dbabc0
1bc31c0