[webkit-changes] [98525] trunk/Source/JavaScriptCore

[oliver]

Title: [98525] trunk/Source/_javascript_Core

Revision

98525

Author

oli...@apple.com

Date

2011-10-26 17:19:31 -0700 (Wed, 26 Oct 2011)

Log Message

Restore structure-clearing behaviour of allocateCell<>
https://bugs.webkit.org/show_bug.cgi?id=70976

Reviewed by Geoffrey Garen.

This restores the logic that allows the markstack to filter
live objects that have not yet been initialised.

* runtime/JSCell.h:
(JSC::JSCell::clearStructure):
   Validation-safe method to clear a cell's structure.
(JSC::allocateCell):
   Call the above method.
* runtime/Structure.h:
(JSC::MarkStack::internalAppend):
   Don't visit cells that haven't been initialised.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/JSCell.h
• trunk/Source/_javascript_Core/runtime/Structure.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (98524 => 98525)

--- trunk/Source/_javascript_Core/ChangeLog	2011-10-26 22:42:55 UTC (rev 98524)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-27 00:19:31 UTC (rev 98525)
@@ -1,3 +1,22 @@
+2011-10-26  Oliver Hunt  <oli...@apple.com>
+
+        Restore structure-clearing behaviour of allocateCell<>
+        https://bugs.webkit.org/show_bug.cgi?id=70976
+
+        Reviewed by Geoffrey Garen.
+
+        This restores the logic that allows the markstack to filter
+        live objects that have not yet been initialised.
+
+        * runtime/JSCell.h:
+        (JSC::JSCell::clearStructure):
+           Validation-safe method to clear a cell's structure.
+        (JSC::allocateCell):
+           Call the above method.
+        * runtime/Structure.h:
+        (JSC::MarkStack::internalAppend):
+           Don't visit cells that haven't been initialised.
+
 2011-10-26  Filip Pizlo  <fpi...@apple.com>
 
         REGRESSION (r97030): Cannot log in to progressive.com

Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (98524 => 98525)

--- trunk/Source/_javascript_Core/runtime/JSCell.h	2011-10-26 22:42:55 UTC (rev 98524)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h	2011-10-27 00:19:31 UTC (rev 98525)
@@ -66,6 +66,7 @@
 
         Structure* structure() const;
         void setStructure(JSGlobalData&, Structure*);
+        void clearStructure() { m_structure.clear(); }
 
         // Extracting the value.
         bool getString(ExecState* exec, UString&) const;
@@ -306,7 +307,9 @@
         ASSERT(!heap.globalData()->isInitializingObject());
         heap.globalData()->setInitializingObject(true);
 #endif
-        return heap.allocate(sizeof(T));
+        JSCell* result = static_cast<JSCell*>(heap.allocate(sizeof(T)));
+        result->clearStructure();
+        return result;
     }
     
     inline bool isZapped(const JSCell* cell)

Modified: trunk/Source/_javascript_Core/runtime/Structure.h (98524 => 98525)

--- trunk/Source/_javascript_Core/runtime/Structure.h	2011-10-26 22:42:55 UTC (rev 98524)
+++ trunk/Source/_javascript_Core/runtime/Structure.h	2011-10-27 00:19:31 UTC (rev 98525)
@@ -359,7 +359,7 @@
         validate(cell);
 #endif
         m_visitCount++;
-        if (Heap::testAndSetMarked(cell))
+        if (Heap::testAndSetMarked(cell) || !cell->structure())
             return;
         m_stack.append(cell);
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes