Title: [87190] trunk/Source/_javascript_Core
- Revision
- 87190
- Author
- oli...@apple.com
- Date
- 2011-05-24 12:39:47 -0700 (Tue, 24 May 2011)
Log Message
2011-05-24 Oliver Hunt <oli...@apple.com>
Reviewed by Gavin Barraclough.
Interpreter crashes with gc validation enabled due to failure to mark initial cache structure
https://bugs.webkit.org/show_bug.cgi?id=61385
The interpreter uses the structure slot of get_by_id and put_by_id to hold
the initial structure it encountered so that it can identify whether a
given access is stable.
When marking though we only visit the slot when we've decided to cache, and
so this value could die. This was "safe" as the value was only used for a
pointer compare, but it was incorrect. We now just mark the slot like we
should have been doing already.
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::visitStructures):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (87189 => 87190)
--- trunk/Source/_javascript_Core/ChangeLog 2011-05-24 19:32:03 UTC (rev 87189)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-05-24 19:39:47 UTC (rev 87190)
@@ -1,3 +1,22 @@
+2011-05-24 Oliver Hunt <oli...@apple.com>
+
+ Reviewed by Gavin Barraclough.
+
+ Interpreter crashes with gc validation enabled due to failure to mark initial cache structure
+ https://bugs.webkit.org/show_bug.cgi?id=61385
+
+ The interpreter uses the structure slot of get_by_id and put_by_id to hold
+ the initial structure it encountered so that it can identify whether a
+ given access is stable.
+
+ When marking though we only visit the slot when we've decided to cache, and
+ so this value could die. This was "safe" as the value was only used for a
+ pointer compare, but it was incorrect. We now just mark the slot like we
+ should have been doing already.
+
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::visitStructures):
+
2011-05-24 Adam Roben <aro...@apple.com>
Windows build fix
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (87189 => 87190)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2011-05-24 19:32:03 UTC (rev 87189)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2011-05-24 19:39:47 UTC (rev 87190)
@@ -1405,6 +1405,11 @@
{
Interpreter* interpreter = m_globalData->interpreter;
+ if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id) && vPC[4].u.structure) {
+ visitor.append(&vPC[4].u.structure);
+ return;
+ }
+
if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_self) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_self) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_self)) {
visitor.append(&vPC[4].u.structure);
return;
@@ -1425,6 +1430,10 @@
visitor.append(&vPC[6].u.structureChain);
return;
}
+ if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id) && vPC[4].u.structure) {
+ visitor.append(&vPC[4].u.structure);
+ return;
+ }
if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id_replace)) {
visitor.append(&vPC[4].u.structure);
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes