From e31ab78e20213bc9f979e3a3a23330673389c4c7 Mon Sep 17 00:00:00 2001
From: Angelos Oikonomopoulos <angelos@igalia.com>
Date: Thu, 7 May 2026 11:14:56 +0000
Subject: [PATCH] Defensively DeferGC when baking butterflies

This is a port of https://commits.webkit.org/307787@main to 2.38.

Note that unshiftCountSlowCase is already protected by its sole caller.
---
 Source/JavaScriptCore/heap/Heap.h         | 1 +
 Source/JavaScriptCore/runtime/JSArray.cpp | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
index 8df576acf7f86..ba3b1e55af93c 100644
--- a/Source/JavaScriptCore/heap/Heap.h
+++ b/Source/JavaScriptCore/heap/Heap.h
@@ -575,6 +575,7 @@ class Heap {
     friend class HeapVerifier;
     friend class IsoSubspacePerVM;
     friend class JITStubRoutine;
+    friend class JSArray;
     friend class LLIntOffsetsExtractor;
     friend class MarkStackMergingConstraint;
     friend class MarkedSpace;
diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
index 5803e2564be46..e4d3461c81251 100644
--- a/Source/JavaScriptCore/runtime/JSArray.cpp
+++ b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -62,6 +62,7 @@ JSArray* JSArray::tryCreateUninitializedRestricted(ObjectInitializationScope& sc
             deferralContext, AllocationFailureMode::ReturnNull);
         if (UNLIKELY(!temp))
             return nullptr;
+        vm.heap.incrementDeferralDepth();
         butterfly = Butterfly::fromBase(temp, 0, outOfLineStorage);
         butterfly->setVectorLength(vectorLength);
         butterfly->setPublicLength(initialLength);
@@ -84,6 +85,7 @@ JSArray* JSArray::tryCreateUninitializedRestricted(ObjectInitializationScope& sc
             deferralContext, AllocationFailureMode::ReturnNull);
         if (UNLIKELY(!temp))
             return nullptr;
+        vm.heap.incrementDeferralDepth();
         butterfly = Butterfly::fromBase(temp, indexBias, outOfLineStorage);
         *butterfly->indexingHeader() = indexingHeaderForArrayStorage(initialLength, vectorLength);
         ArrayStorage* storage = butterfly->arrayStorage();
@@ -97,6 +99,7 @@ JSArray* JSArray::tryCreateUninitializedRestricted(ObjectInitializationScope& sc
     JSArray* result = createWithButterfly(vm, deferralContext, structure, butterfly);
 
     scope.notifyAllocated(result);
+    vm.heap.decrementDeferralDepth();
     return result;
 }