Title: [92393] trunk/Source/_javascript_Core
- Revision
- 92393
- Author
- [email protected]
- Date
- 2011-08-04 11:26:30 -0700 (Thu, 04 Aug 2011)
Log Message
Interpreter can potentially GC in the middle of initializing a structure chain
https://bugs.webkit.org/show_bug.cgi?id=65638
Patch by Mark Hahnenberg <[email protected]> on 2011-08-04
Reviewed by Oliver Hunt.
Moved the allocation of a prototype StructureChain before the initialization of
the structure chain within the interpreter that was causing intermittent GC crashes.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::tryCachePutByID):
* wtf/Platform.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (92392 => 92393)
--- trunk/Source/_javascript_Core/ChangeLog 2011-08-04 18:19:43 UTC (rev 92392)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-08-04 18:26:30 UTC (rev 92393)
@@ -1,3 +1,17 @@
+2011-08-04 Mark Hahnenberg <[email protected]>
+
+ Interpreter can potentially GC in the middle of initializing a structure chain
+ https://bugs.webkit.org/show_bug.cgi?id=65638
+
+ Reviewed by Oliver Hunt.
+
+ Moved the allocation of a prototype StructureChain before the initialization of
+ the structure chain within the interpreter that was causing intermittent GC crashes.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::tryCachePutByID):
+ * wtf/Platform.h:
+
2011-08-04 Filip Pizlo <[email protected]>
Eval handling attempts literal parsing even when the eval
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (92392 => 92393)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2011-08-04 18:19:43 UTC (rev 92392)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2011-08-04 18:26:30 UTC (rev 92393)
@@ -1394,10 +1394,14 @@
normalizePrototypeChain(callFrame, baseCell);
JSCell* owner = codeBlock->ownerExecutable();
JSGlobalData& globalData = callFrame->globalData();
+ // Get the prototype here because the call to prototypeChain could cause a
+ // GC allocation, which we don't want to happen while we're in the middle of
+ // initializing the union.
+ StructureChain* prototypeChain = structure->prototypeChain(callFrame);
vPC[0] = getOpcode(op_put_by_id_transition);
vPC[4].u.structure.set(globalData, owner, structure->previousID());
vPC[5].u.structure.set(globalData, owner, structure);
- vPC[6].u.structureChain.set(callFrame->globalData(), codeBlock->ownerExecutable(), structure->prototypeChain(callFrame));
+ vPC[6].u.structureChain.set(callFrame->globalData(), codeBlock->ownerExecutable(), prototypeChain);
ASSERT(vPC[6].u.structureChain);
vPC[7] = slot.cachedOffset();
return;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
