[webkit-changes] [206628] trunk/Source/JavaScriptCore

Thu, 29 Sep 2016 17:48:28 -0700

Title: [206628] trunk/Source/_javascript_Core
Revision
206628
Author
fpi...@apple.com
Date
2016-09-29 17:48:55 -0700 (Thu, 29 Sep 2016)

Log Message

REGRESSION(r206555): It made Dromaeo/jslib-style-jquery.html crash
https://bugs.webkit.org/show_bug.cgi?id=162721

Reviewed by Keith Miller.
        
The put_by_id-in-put_by_val optimization had the write barrier in the wrong place and
incorrectly filtered on value instead of base.
        
No reduced test case. You really need to run Dromaeo/jslib to catch it. I love Dromaeo's
ability to catch GC bugs.

* jit/JITPropertyAccess.cpp:
(JSC::JIT::emitPutByValWithCachedId):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (206627 => 206628)


--- trunk/Source/_javascript_Core/ChangeLog	2016-09-30 00:47:21 UTC (rev 206627)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-09-30 00:48:55 UTC (rev 206628)
@@ -1,3 +1,19 @@
+2016-09-29  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION(r206555): It made Dromaeo/jslib-style-jquery.html crash
+        https://bugs.webkit.org/show_bug.cgi?id=162721
+
+        Reviewed by Keith Miller.
+        
+        The put_by_id-in-put_by_val optimization had the write barrier in the wrong place and
+        incorrectly filtered on value instead of base.
+        
+        No reduced test case. You really need to run Dromaeo/jslib to catch it. I love Dromaeo's
+        ability to catch GC bugs.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emitPutByValWithCachedId):
+
 2016-09-29  Joseph Pecoraro  <pecor...@apple.com>
 
         Arrow functions do not infer name from computed property but normal functions do

Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (206627 => 206628)


--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2016-09-30 00:47:21 UTC (rev 206627)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2016-09-30 00:48:55 UTC (rev 206628)
@@ -442,7 +442,6 @@
 
     // Write barrier breaks the registers. So after issuing the write barrier,
     // reload the registers.
-    emitWriteBarrier(base, value, ShouldFilterValue);
     emitGetVirtualRegisters(base, regT0, value, regT1);
 
     JITPutByIdGenerator gen(
@@ -449,6 +448,7 @@
         m_codeBlock, CodeOrigin(m_bytecodeOffset), CallSiteIndex(m_bytecodeOffset), RegisterSet::stubUnavailableRegisters(),
         JSValueRegs(regT0), JSValueRegs(regT1), regT2, m_codeBlock->ecmaMode(), putKind);
     gen.generateFastPath(*this);
+    emitWriteBarrier(base, value, ShouldFilterBase);
     doneCases.append(jump());
 
     Label coldPathBegin = label();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to