[webkit-changes] [208372] branches/safari-602-branch/Source/JavaScriptCore

Thu, 03 Nov 2016 22:14:23 -0700

Title: [208372] branches/safari-602-branch/Source/_javascript_Core

Diff

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (208371 => 208372)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-11-04 05:11:12 UTC (rev 208371)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-11-04 05:15:11 UTC (rev 208372)
@@ -1,3 +1,20 @@
+2016-11-03  Matthew Hanson  <matthew_han...@apple.com>
+
+        Merge r208299. rdar://problem/28857505
+
+    2016-11-02  Michael Saboff  <msab...@apple.com>
+
+            Crash beneath SlotVisitor::drain @ cooksillustrated.com
+            https://bugs.webkit.org/show_bug.cgi?id=164304
+
+            Reviewed by Mark Lam.
+
+            Added back write barrier for the base cell of put-by_id in the LLInt when the structure is
+            changed.  Also removed the unused macro "storeStructureWithTypeInfo".
+
+            * llint/LowLevelInterpreter32_64.asm:
+            * llint/LowLevelInterpreter64.asm:
+
 2016-10-28  Mark Lam  <mark....@apple.com>
 
         Merge r208018. rdar://problem/28962887, rdar://problem/28962912

Modified: branches/safari-602-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (208371 => 208372)


--- branches/safari-602-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm	2016-11-04 05:11:12 UTC (rev 208371)
+++ branches/safari-602-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm	2016-11-04 05:15:11 UTC (rev 208372)
@@ -490,13 +490,6 @@
         payload)
 end
 
-macro storeStructureWithTypeInfo(cell, structure, scratch)
-    storep structure, JSCell::m_structureID[cell]
-
-    loadi Structure::m_blob + StructureIDBlob::u.words.word2[structure], scratch
-    storei scratch, JSCell::m_indexingType[cell]
-end
-
 macro writeBarrierOnOperand(cellOperand)
     loadisFromInstruction(cellOperand, t1)
     loadConstantOrVariablePayload(t1, CellTag, t2, .writeBarrierDone)
@@ -1568,6 +1561,12 @@
 
 .opPutByIdTransitionDirect:
     storei t1, JSCell::m_structureID[t0]
+    loadi 12[PC], t1
+    loadConstantOrVariable(t1, t2, t3)
+    loadi 20[PC], t1
+    storePropertyAtVariableOffset(t1, t0, t2, t3)
+    writeBarrierOnOperand(1)
+    dispatch(9)
 
 .opPutByIdNotTransition:
     # The only thing live right now is t0, which holds the base.

Modified: branches/safari-602-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (208371 => 208372)


--- branches/safari-602-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2016-11-04 05:11:12 UTC (rev 208371)
+++ branches/safari-602-branch/Source/_javascript_Core/llint/LowLevelInterpreter64.asm	2016-11-04 05:15:11 UTC (rev 208372)
@@ -1447,6 +1447,10 @@
 
 .opPutByIdTransitionDirect:
     storei t1, JSCell::m_structureID[t0]
+    writeBarrierOnOperand(1)
+    # Reload base into t0
+    loadisFromInstruction(1, t1)
+    loadConstantOrVariable(t1, t0)
 
 .opPutByIdNotTransition:
     # The only thing live right now is t0, which holds the base.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to