Skip to site navigation (Press enter)

[webkit-changes] [163639] trunk/Source/JavaScriptCore

oliver Fri, 07 Feb 2014 11:59:54 -0800

Title: [163639] trunk/Source/_javascript_Core

Revision: 163639
Author: oli...@apple.com
Date: 2014-02-07 11:59:58 -0800 (Fri, 07 Feb 2014)

Log Message

REGRESSION (r160628): LLint does not appear to handle impure get own property properly
https://bugs.webkit.org/show_bug.cgi?id=127943


Reviewed by Filip Pizlo.

Make sure the LLINT doesn't attempt to cache property
access on structures with impureGetOwnPropertySlot set.

* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (163638 => 163639)


--- trunk/Source/_javascript_Core/ChangeLog	2014-02-07 19:57:09 UTC (rev 163638)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-02-07 19:59:58 UTC (rev 163639)
@@ -1,3 +1,16 @@
+2014-02-07  Oliver Hunt  <oli...@apple.com>
+
+        REGRESSION (r160628): LLint does not appear to handle impure get own property properly
+        https://bugs.webkit.org/show_bug.cgi?id=127943
+
+        Reviewed by Filip Pizlo.
+
+        Make sure the LLINT doesn't attempt to cache property
+        access on structures with impureGetOwnPropertySlot set.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
 2014-02-06  Michael Saboff  <msab...@apple.com>
 
         Workaround REGRESSION(r163195-r163227): Crash beneath NSErrorUserInfoFromJSException when installing AppleInternal.mpkg

Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (163638 => 163639)


--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2014-02-07 19:57:09 UTC (rev 163638)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2014-02-07 19:59:58 UTC (rev 163639)
@@ -573,9 +573,10 @@
         Structure* structure = baseCell->structure();
         
         if (!structure->isUncacheableDictionary()
-            && !structure->typeInfo().prohibitsPropertyCaching()) {
+            && !structure->typeInfo().prohibitsPropertyCaching()
+            && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
             ConcurrentJITLocker locker(codeBlock->m_lock);
-            
+
             pc[4].u.structure.set(
                 vm, codeBlock->ownerExecutable(), structure);
             if (isInlineOffset(slot.cachedOffset())) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes