Title: [231827] branches/safari-605-branch/Source/_javascript_Core
- Revision
- 231827
- Author
- [email protected]
- Date
- 2018-05-15 18:41:52 -0700 (Tue, 15 May 2018)
Log Message
Cherry-pick r230486. rdar://problem/39988121
ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
https://bugs.webkit.org/show_bug.cgi?id=184460
<rdar://problem/37610966>
Reviewed by Mark Lam.
* bytecode/ExecutableToCodeBlockEdge.cpp:
(JSC::ExecutableToCodeBlockEdge::visitChildren):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230486 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (231826 => 231827)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-16 01:41:49 UTC (rev 231826)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-16 01:41:52 UTC (rev 231827)
@@ -1,5 +1,33 @@
2018-05-15 Kocsen Chung <[email protected]>
+ Cherry-pick r230486. rdar://problem/39988121
+
+ ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
+ https://bugs.webkit.org/show_bug.cgi?id=184460
+ <rdar://problem/37610966>
+
+ Reviewed by Mark Lam.
+
+ * bytecode/ExecutableToCodeBlockEdge.cpp:
+ (JSC::ExecutableToCodeBlockEdge::visitChildren):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230486 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-10 Filip Pizlo <[email protected]>
+
+ ExecutableToCodeBlockEdge::visitChildren() should be cool with m_codeBlock being null since we clear it in finalizeUnconditionally()
+ https://bugs.webkit.org/show_bug.cgi?id=184460
+ <rdar://problem/37610966>
+
+ Reviewed by Mark Lam.
+
+ * bytecode/ExecutableToCodeBlockEdge.cpp:
+ (JSC::ExecutableToCodeBlockEdge::visitChildren):
+
+2018-05-15 Kocsen Chung <[email protected]>
+
Cherry-pick r230465. rdar://problem/39988131
Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
Modified: branches/safari-605-branch/Source/_javascript_Core/bytecode/ExecutableToCodeBlockEdge.cpp (231826 => 231827)
--- branches/safari-605-branch/Source/_javascript_Core/bytecode/ExecutableToCodeBlockEdge.cpp 2018-05-16 01:41:49 UTC (rev 231826)
+++ branches/safari-605-branch/Source/_javascript_Core/bytecode/ExecutableToCodeBlockEdge.cpp 2018-05-16 01:41:52 UTC (rev 231827)
@@ -50,6 +50,13 @@
ExecutableToCodeBlockEdge* edge = jsCast<ExecutableToCodeBlockEdge*>(cell);
CodeBlock* codeBlock = edge->m_codeBlock.get();
+ // It's possible for someone to hold a pointer to the edge after the edge has cleared its weak
+ // reference to the codeBlock. In a conservative GC like ours, that could happen at random for
+ // no good reason and it's Totally OK (TM). See finalizeUnconditionally() for where we clear
+ // m_codeBlock.
+ if (!codeBlock)
+ return;
+
if (!edge->m_isActive) {
visitor.appendUnbarriered(codeBlock);
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
