[webkit-changes] [150086] branches/dfgFourthTier/Source/JavaScriptCore

[mhahnenberg]

Title: [150086] branches/dfgFourthTier/Source/_javascript_Core

Revision

150086

Author

mhahnenb...@apple.com

Date

2013-05-14 13:37:09 -0700 (Tue, 14 May 2013)

Log Message

fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled
https://bugs.webkit.org/show_bug.cgi?id=116082

It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the 
baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable. The fix is to 
check if we're the baseline version in baselineVersion() and return this if so.

Reviewed by Filip Pizlo.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::baselineVersion):

Modified Paths

• branches/dfgFourthTier/Source/_javascript_Core/ChangeLog
• branches/dfgFourthTier/Source/_javascript_Core/bytecode/CodeBlock.h

Diff

Modified: branches/dfgFourthTier/Source/_javascript_Core/ChangeLog (150085 => 150086)

--- branches/dfgFourthTier/Source/_javascript_Core/ChangeLog	2013-05-14 20:22:52 UTC (rev 150085)
+++ branches/dfgFourthTier/Source/_javascript_Core/ChangeLog	2013-05-14 20:37:09 UTC (rev 150086)
@@ -1,3 +1,17 @@
+2013-05-14  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        fourthTier: Segfault in jsc with simple test program when running with profile dumping enabled
+        https://bugs.webkit.org/show_bug.cgi?id=116082
+
+        It's crashing because CodeBlock::baselineVersion() doesn't know how to handle the case where 'this' is the 
+        baseline version but it hasn't been assigned to the m_blahCodeBlock field in BlahExecutable. The fix is to 
+        check if we're the baseline version in baselineVersion() and return this if so.
+
+        Reviewed by Filip Pizlo.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::baselineVersion):
+
 2013-05-11  Mark Hahnenberg  <mhahnenb...@apple.com>
 
         Rename StructureCheckHoistingPhase to TypeCheckHoistingPhase

Modified: branches/dfgFourthTier/Source/_javascript_Core/bytecode/CodeBlock.h (150085 => 150086)

--- branches/dfgFourthTier/Source/_javascript_Core/bytecode/CodeBlock.h	2013-05-14 20:22:52 UTC (rev 150085)
+++ branches/dfgFourthTier/Source/_javascript_Core/bytecode/CodeBlock.h	2013-05-14 20:37:09 UTC (rev 150086)
@@ -134,9 +134,10 @@
 #if ENABLE(JIT)
         CodeBlock* baselineVersion()
         {
+            if (JITCode::isBaselineCode(getJITType()))
+                return this;
             CodeBlock* result = replacement();
-            if (!result)
-                return 0; // This can happen if we're in the process of creating the baseline version.
+            ASSERT(result);
             while (result->alternative())
                 result = result->alternative();
             ASSERT(result);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes