Title: [213773] trunk/Source/_javascript_Core
- Revision
- 213773
- Author
- [email protected]
- Date
- 2017-03-12 15:56:55 -0700 (Sun, 12 Mar 2017)
Log Message
Structure::willStoreValueSlow needs to keep the property table alive until the end
https://bugs.webkit.org/show_bug.cgi?id=169520
Reviewed by Michael Saboff.
We use pointers logically interior to `propertyTable` after doing a GC. We need to prevent the
compiler from optimizing away pointers to `propertyTable`.
* heap/HeapCell.cpp:
(JSC::HeapCell::use):
* heap/HeapCell.h:
(JSC::HeapCell::use): Introduce API for keeping a pointer alive until some point in execution.
* runtime/Structure.cpp:
(JSC::Structure::willStoreValueSlow): Use HeapCell::use() to keep the pointer alive.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (213772 => 213773)
--- trunk/Source/_javascript_Core/ChangeLog 2017-03-12 20:19:04 UTC (rev 213772)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-03-12 22:56:55 UTC (rev 213773)
@@ -1,3 +1,20 @@
+2017-03-11 Filip Pizlo <[email protected]>
+
+ Structure::willStoreValueSlow needs to keep the property table alive until the end
+ https://bugs.webkit.org/show_bug.cgi?id=169520
+
+ Reviewed by Michael Saboff.
+
+ We use pointers logically interior to `propertyTable` after doing a GC. We need to prevent the
+ compiler from optimizing away pointers to `propertyTable`.
+
+ * heap/HeapCell.cpp:
+ (JSC::HeapCell::use):
+ * heap/HeapCell.h:
+ (JSC::HeapCell::use): Introduce API for keeping a pointer alive until some point in execution.
+ * runtime/Structure.cpp:
+ (JSC::Structure::willStoreValueSlow): Use HeapCell::use() to keep the pointer alive.
+
2017-03-11 Yusuke Suzuki <[email protected]>
Unreviewed, suprress warnings in JSC B3
Modified: trunk/Source/_javascript_Core/heap/HeapCell.cpp (213772 => 213773)
--- trunk/Source/_javascript_Core/heap/HeapCell.cpp 2017-03-12 20:19:04 UTC (rev 213772)
+++ trunk/Source/_javascript_Core/heap/HeapCell.cpp 2017-03-12 22:56:55 UTC (rev 213773)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -28,6 +28,16 @@
#include <wtf/PrintStream.h>
+namespace JSC {
+
+#if !COMPILER(GCC_OR_CLANG)
+void HeapCell::use() const
+{
+}
+#endif
+
+} // namespace JSC
+
namespace WTF {
using namespace JSC;
Modified: trunk/Source/_javascript_Core/heap/HeapCell.h (213772 => 213773)
--- trunk/Source/_javascript_Core/heap/HeapCell.h 2017-03-12 20:19:04 UTC (rev 213772)
+++ trunk/Source/_javascript_Core/heap/HeapCell.h 2017-03-12 22:56:55 UTC (rev 213773)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -66,6 +66,18 @@
AllocatorAttributes allocatorAttributes() const;
DestructionMode destructionMode() const;
Kind cellKind() const;
+
+ // Call use() after the last point where you need `this` pointer to be kept alive. You usually don't
+ // need to use this, but it might be necessary if you're otherwise referring to an object's innards
+ // but not the object itself.
+#if COMPILER(GCC_OR_CLANG)
+ void use() const
+ {
+ asm volatile ("" : : "r"(this) : "memory");
+ }
+#else
+ void use() const;
+#endif
};
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/Structure.cpp (213772 => 213773)
--- trunk/Source/_javascript_Core/runtime/Structure.cpp 2017-03-12 20:19:04 UTC (rev 213772)
+++ trunk/Source/_javascript_Core/runtime/Structure.cpp 2017-03-12 22:56:55 UTC (rev 213773)
@@ -918,6 +918,8 @@
table->makeTop(vm, propertyName, age);
entry->hasInferredType = false;
}
+
+ propertyTable->use(); // This makes it safe to use entry above.
}
#if DUMP_PROPERTYMAP_STATS
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
