Skip to site navigation (Press enter)

[webkit-changes] [101910] trunk/Source/JavaScriptCore

mhahnenberg Fri, 02 Dec 2011 22:32:01 -0800

Title: [101910] trunk/Source/_javascript_Core

Revision: 101910
Author: [email protected]
Date: 2011-12-02 22:31:50 -0800 (Fri, 02 Dec 2011)

Log Message

REGRESSION (r99754): All layout tests crash on Windows
https://bugs.webkit.org/show_bug.cgi?id=72305


Reviewed by Geoffrey Garen.

Fixes a crash in release builds on Windows.  Windows was optimizing the out-of-line virtual destructor in
JSFunction away, which left it with no virtual functions.  Its vtable ptr was then identical to that of
a different class, therefore the optimization in the visitChildren helper function in MarkedStack.cpp was calling an
incorrect version of visitChildren on the object, which left its children unmarked, causing them to be
collected when they were still reachable.

* runtime/JSFunction.cpp:
(JSC::JSFunction::vtableAnchor): Add a virtual function to JSFunction that Visual Studio can't optimize away.
* runtime/JSFunction.h:
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::storeVPtrs): Add checks to make sure that all virtual pointers that we rely on for optimization
purposes are distinct from one another.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSFunction.cpp
trunk/Source/_javascript_Core/runtime/JSFunction.h
trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (101909 => 101910)


--- trunk/Source/_javascript_Core/ChangeLog	2011-12-03 06:21:48 UTC (rev 101909)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-12-03 06:31:50 UTC (rev 101910)
@@ -1,3 +1,23 @@
+2011-12-02  Mark Hahnenberg  <[email protected]>
+
+        REGRESSION (r99754): All layout tests crash on Windows
+        https://bugs.webkit.org/show_bug.cgi?id=72305
+
+        Reviewed by Geoffrey Garen.
+
+        Fixes a crash in release builds on Windows.  Windows was optimizing the out-of-line virtual destructor in 
+        JSFunction away, which left it with no virtual functions.  Its vtable ptr was then identical to that of 
+        a different class, therefore the optimization in the visitChildren helper function in MarkedStack.cpp was calling an 
+        incorrect version of visitChildren on the object, which left its children unmarked, causing them to be 
+        collected when they were still reachable.
+
+        * runtime/JSFunction.cpp:
+        (JSC::JSFunction::vtableAnchor): Add a virtual function to JSFunction that Visual Studio can't optimize away.
+        * runtime/JSFunction.h:
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::storeVPtrs): Add checks to make sure that all virtual pointers that we rely on for optimization
+        purposes are distinct from one another.
+
 2011-12-02  Oliver Hunt  <[email protected]>
 
         Improve float array support in the DFG JIT

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.cpp (101909 => 101910)


--- trunk/Source/_javascript_Core/runtime/JSFunction.cpp	2011-12-03 06:21:48 UTC (rev 101909)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.cpp	2011-12-03 06:31:50 UTC (rev 101910)
@@ -118,6 +118,11 @@
     ASSERT(vptr() == JSGlobalData::jsFunctionVPtr);
 }
 
+void JSFunction::vtableAnchor()
+{
+    fprintf(stderr, "We need something here that Visual Studio can't optimize away.\n");
+}
+
 void createDescriptorForThrowingProperty(ExecState* exec, PropertyDescriptor& descriptor, const char* message)
 {
     JSValue thrower = createTypeErrorFunction(exec, message);

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.h (101909 => 101910)


--- trunk/Source/_javascript_Core/runtime/JSFunction.h	2011-12-03 06:21:48 UTC (rev 101909)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.h	2011-12-03 06:31:50 UTC (rev 101910)
@@ -66,6 +66,7 @@
         }
         
         virtual ~JSFunction();
+        virtual void vtableAnchor(); // FIXME: Remove this once optimizations no longer rely on testing vtables
 
         const UString& name(ExecState*);
         const UString displayName(ExecState*);

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp (101909 => 101910)


--- trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp	2011-12-03 06:21:48 UTC (rev 101909)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp	2011-12-03 06:31:50 UTC (rev 101910)
@@ -154,6 +154,20 @@
     JSCell* jsFunction = new (storage) JSFunction(JSCell::VPtrStealingHack);
     CLOBBER_MEMORY();
     JSGlobalData::jsFunctionVPtr = jsFunction->vptr();
+
+    // Until we fully remove our reliance on vptrs, we need to make sure that everybody that 
+    // we think has a unique virtual pointer actually does.
+    if (jsFinalObjectVPtr == jsArrayVPtr
+        || jsFinalObjectVPtr == jsByteArrayVPtr
+        || jsFinalObjectVPtr == jsStringVPtr
+        || jsFinalObjectVPtr == jsFunctionVPtr
+        || jsArrayVPtr == jsByteArrayVPtr
+        || jsArrayVPtr == jsStringVPtr
+        || jsArrayVPtr == jsFunctionVPtr
+        || jsByteArrayVPtr == jsStringVPtr
+        || jsByteArrayVPtr == jsFunctionVPtr
+        || jsStringVPtr == jsFunctionVPtr)
+        CRASH();
 }
 
 JSGlobalData::JSGlobalData(GlobalDataType globalDataType, ThreadStackType threadStackType, HeapSize heapSize)

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes