https://bugs.webkit.org/show_bug.cgi?id=194806 introduced JSValueInWrappedObject assignment, but this is not correct in terms of semantics since we are not emitting a write-barrier. So, these fields can be collected by concurrent GC. See https://bugs.webkit.org/show_bug.cgi?id=236277's FIXME comment for more detail.
Created attachment 451319 [details] Patch
Comment on attachment 451319 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=451319&action=review r=me > Source/WebCore/ChangeLog:15 > + This has a semantice error as the swap process does not emit write barrier (webkit.org/b/236277). To fix the semantice => semantic
Created attachment 451496 [details] Patch for landing
Committed r289522 (247053@main): <https://commits.webkit.org/247053@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 451496 [details].
<rdar://problem/88740386>
Committed 260073@main (4d3456e83828): <https://commits.webkit.org/260073@main> Reviewed commits have been landed. Closing PR #9696 and removing active labels.