309232 – [JSC] Crash when PhantomNewArrayWithButterfly handles exception

RESOLVED FIXED309232

[JSC] Crash when PhantomNewArrayWithButterfly handles exception

https://bugs.webkit.org/show_bug.cgi?id=309232

Summary [JSC] Crash when PhantomNewArrayWithButterfly handles exception

GuY

Reported 2026-03-04 23:19:03 PST

run args: WebKitBuild/JSCOnly/Debug/bin/jsc test.js --useConcurrentJIT=0 ``` function opt() { const arr = Array(10); arr[0] = 0; function foo() { return arr; } try { opt() opt() } catch (e) { } } for(let i=0;i<10000000;i++){ opt() } ```

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2026-03-12 00:19:10 PDT

<rdar://problem/172350200>

Yijia Huang

Comment 2 2026-03-16 13:09:09 PDT

Pull request: https://github.com/WebKit/WebKit/pull/60714

EWS

Comment 3 2026-03-16 21:39:51 PDT

Committed 309377@main (0dbabc018f3f): <https://commits.webkit.org/309377@main> Reviewed commits have been landed. Closing PR #60714 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Yijia Huang

Reported

2026-03-04 23:19 PST

Modified

2026-03-16 21:39 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks