Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 85e12f867e913e108b00ade4cd52b30b7a4334ed
https://github.com/WebKit/WebKit/commit/85e12f867e913e108b00ade4cd52b30b7a4334ed
Author: Yusuke Suzuki <[email protected]>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
A LayoutTests/js/dom/call-link-info-recursion-expected.txt
A LayoutTests/js/dom/call-link-info-recursion.html
M Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
Log Message:
-----------
[JSC] PolymorphicCallNode should unchain itself first in unlink
https://bugs.webkit.org/show_bug.cgi?id=265475
rdar://118893186
Reviewed by Mark Lam.
PolymorphicCallNode::unlinkImpl calls m_callLinkInfo->unlink. But it is
possible that this CallLinkInfo is
holding PolymorphicCallNode's owner stub and it may clear stub. Previously, we
are always deferring this stub
destruction until JITStubRoutineSet destroys it. But now, it is possible that
they get deleted immediately
when owner CodeBlock is dead. This means that after calling
m_callLinkInfo->unlink, it is possible that PolymorphicCallNode |this|
is already destroyed.
This patch reorders unlink's operation in PolymorphicCallNode so that we first
unlink it from linked-list.
This is OK since we are not expecting that this is in the linked-list in unlink
calls. So after m_callLinkInfo->unlink,
we no longer touch anything in PolymorphicCallNode.
* Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallNode::unlinkImpl):
Canonical link: https://commits.webkit.org/271246@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes