Bug 309232

Summary: [JSC] Crash when PhantomNewArrayWithButterfly handles exception
Product: WebKit Reporter: GuY <q602706150>
Component: JavaScriptCoreAssignee: Yijia Huang <yijia_huang>
Status: RESOLVED FIXED    
Severity: Normal CC: syg, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

GuY
Reported 2026-03-04 23:19:03 PST
run args: WebKitBuild/JSCOnly/Debug/bin/jsc test.js --useConcurrentJIT=0 ``` function opt() { const arr = Array(10); arr[0] = 0; function foo() { return arr; } try { opt() opt() } catch (e) { } } for(let i=0;i<10000000;i++){ opt() } ```
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2026-03-12 00:19:10 PDT
<rdar://problem/172350200>
Yijia Huang
Comment 2 2026-03-16 13:09:09 PDT
Pull request: https://github.com/WebKit/WebKit/pull/60714
EWS
Comment 3 2026-03-16 21:39:51 PDT
Committed 309377@main (0dbabc018f3f): <https://commits.webkit.org/309377@main> Reviewed commits have been landed. Closing PR #60714 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.