[webkit-changes] [173214] trunk/Source/JavaScriptCore

Wed, 03 Sep 2014 11:59:24 -0700

Title: [173214] trunk/Source/_javascript_Core
Revision
173214
Author
fpi...@apple.com
Date
2014-09-03 11:58:24 -0700 (Wed, 03 Sep 2014)

Log Message

CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
https://bugs.webkit.org/show_bug.cgi?id=136490

Reviewed by Geoffrey Garen.

* bytecode/CallEdgeProfile.cpp:
(JSC::CallEdgeProfile::visitWeak):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (173213 => 173214)


--- trunk/Source/_javascript_Core/ChangeLog	2014-09-03 18:50:23 UTC (rev 173213)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-09-03 18:58:24 UTC (rev 173214)
@@ -1,5 +1,15 @@
 2014-09-03  Filip Pizlo  <fpi...@apple.com>
 
+        CallEdgeProfile::visitWeak() should gracefully handle the case where primaryCallee duplicates an entry in otherCallees
+        https://bugs.webkit.org/show_bug.cgi?id=136490
+
+        Reviewed by Geoffrey Garen.
+
+        * bytecode/CallEdgeProfile.cpp:
+        (JSC::CallEdgeProfile::visitWeak):
+
+2014-09-03  Filip Pizlo  <fpi...@apple.com>
+
         FTL In implementation sets callReturnLocation incorrectly leading to crashes beneath repatchCall()
         https://bugs.webkit.org/show_bug.cgi?id=136488

Modified: trunk/Source/_javascript_Core/bytecode/CallEdgeProfile.cpp (173213 => 173214)


--- trunk/Source/_javascript_Core/bytecode/CallEdgeProfile.cpp	2014-09-03 18:50:23 UTC (rev 173213)
+++ trunk/Source/_javascript_Core/bytecode/CallEdgeProfile.cpp	2014-09-03 18:58:24 UTC (rev 173214)
@@ -135,11 +135,17 @@
         m_primaryCallee = list.last().key;
         m_numCallsToPrimary = list.last().count;
         
-        ASSERT(!!m_otherCallees == (list.size() >= 2));
         if (m_otherCallees) {
             m_otherCallees->m_processed.clear();
-            for (unsigned i = list.size() - 1; i--;)
-                m_otherCallees->m_processed.append(CallEdge(list[i].key, list[i].count));
+
+            // We could have a situation where the GC clears the primary and then log processing
+            // reinstates it without ever doing an addSlow and subsequent mergeBack. In such a case
+            // the primary could duplicate an entry in otherCallees, which means that even though we
+            // had an otherCallees object, the list size is just 1.
+            if (list.size() >= 2) {
+                for (unsigned i = list.size() - 1; i--;)
+                    m_otherCallees->m_processed.append(CallEdge(list[i].key, list[i].count));
+            }
         }
         
         m_closuresAreDespecified = true;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to