Title: [87190] trunk/Source/_javascript_Core
Revision
87190
Author
oli...@apple.com
Date
2011-05-24 12:39:47 -0700 (Tue, 24 May 2011)

Log Message

2011-05-24  Oliver Hunt  <oli...@apple.com>

        Reviewed by Gavin Barraclough.

        Interpreter crashes with gc validation enabled due to failure to mark initial cache structure
        https://bugs.webkit.org/show_bug.cgi?id=61385

        The interpreter uses the structure slot of get_by_id and put_by_id to hold
        the initial structure it encountered so that it can identify whether a
        given access is stable.

        When marking though we only visit the slot when we've decided to cache, and
        so this value could die.  This was "safe" as the value was only used for a
        pointer compare, but it was incorrect.  We now just mark the slot like we
        should have been doing already.

        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::visitStructures):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (87189 => 87190)


--- trunk/Source/_javascript_Core/ChangeLog	2011-05-24 19:32:03 UTC (rev 87189)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-05-24 19:39:47 UTC (rev 87190)
@@ -1,3 +1,22 @@
+2011-05-24  Oliver Hunt  <oli...@apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Interpreter crashes with gc validation enabled due to failure to mark initial cache structure
+        https://bugs.webkit.org/show_bug.cgi?id=61385
+
+        The interpreter uses the structure slot of get_by_id and put_by_id to hold
+        the initial structure it encountered so that it can identify whether a
+        given access is stable.
+
+        When marking though we only visit the slot when we've decided to cache, and
+        so this value could die.  This was "safe" as the value was only used for a
+        pointer compare, but it was incorrect.  We now just mark the slot like we
+        should have been doing already.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::visitStructures):
+
 2011-05-24  Adam Roben  <aro...@apple.com>
 
         Windows build fix

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (87189 => 87190)


--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2011-05-24 19:32:03 UTC (rev 87189)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2011-05-24 19:39:47 UTC (rev 87190)
@@ -1405,6 +1405,11 @@
 {
     Interpreter* interpreter = m_globalData->interpreter;
 
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id) && vPC[4].u.structure) {
+        visitor.append(&vPC[4].u.structure);
+        return;
+    }
+
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_self) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_self) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_self)) {
         visitor.append(&vPC[4].u.structure);
         return;
@@ -1425,6 +1430,10 @@
         visitor.append(&vPC[6].u.structureChain);
         return;
     }
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id) && vPC[4].u.structure) {
+        visitor.append(&vPC[4].u.structure);
+        return;
+    }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_put_by_id_replace)) {
         visitor.append(&vPC[4].u.structure);
         return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to