Title: [203416] trunk/Source/_javascript_Core
- Revision
- 203416
- Author
- [email protected]
- Date
- 2016-07-19 13:15:51 -0700 (Tue, 19 Jul 2016)
Log Message
REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
https://bugs.webkit.org/show_bug.cgi?id=159930
Reviewed by Geoffrey Garen.
The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
Register::scope() method was causing us to assert that it's a JSValue with proper cell
boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
would have made anything better. This fixes the issue by teaching Register::scope() that it
might see unboxed cells.
* runtime/JSScope.h:
(JSC::Register::scope):
(JSC::ExecState::lexicalGlobalObject):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (203415 => 203416)
--- trunk/Source/_javascript_Core/ChangeLog 2016-07-19 20:10:02 UTC (rev 203415)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-07-19 20:15:51 UTC (rev 203416)
@@ -1,5 +1,22 @@
2016-07-19 Filip Pizlo <[email protected]>
+ REGRESSION (r203348-r203368): ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(std::remove_pointer<To>::type::info())
+ https://bugs.webkit.org/show_bug.cgi?id=159930
+
+ Reviewed by Geoffrey Garen.
+
+ The problem is that the 32-bit DFG can flush the scope register as an unboxed cell, but the
+ Register::scope() method was causing us to assert that it's a JSValue with proper cell
+ boxing. We could have forced the DFG to flush it as a boxed JSValue, but I don't think that
+ would have made anything better. This fixes the issue by teaching Register::scope() that it
+ might see unboxed cells.
+
+ * runtime/JSScope.h:
+ (JSC::Register::scope):
+ (JSC::ExecState::lexicalGlobalObject):
+
+2016-07-19 Filip Pizlo <[email protected]>
+
B3 methods that mutate the successors array should take FrequentedBlock by value
https://bugs.webkit.org/show_bug.cgi?id=159935
Modified: trunk/Source/_javascript_Core/runtime/JSScope.h (203415 => 203416)
--- trunk/Source/_javascript_Core/runtime/JSScope.h 2016-07-19 20:10:02 UTC (rev 203415)
+++ trunk/Source/_javascript_Core/runtime/JSScope.h 2016-07-19 20:15:51 UTC (rev 203416)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2015 Apple Inc. All Rights Reserved.
+ * Copyright (C) 2012-2016 Apple Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -142,7 +142,7 @@
inline JSScope* Register::scope() const
{
- return jsCast<JSScope*>(jsValue());
+ return jsCast<JSScope*>(unboxedCell());
}
inline JSGlobalObject* ExecState::lexicalGlobalObject() const
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
