Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 85e12f867e913e108b00ade4cd52b30b7a4334ed
      
https://github.com/WebKit/WebKit/commit/85e12f867e913e108b00ade4cd52b30b7a4334ed
  Author: Yusuke Suzuki <[email protected]>
  Date:   2023-11-28 (Tue, 28 Nov 2023)

  Changed paths:
    A LayoutTests/js/dom/call-link-info-recursion-expected.txt
    A LayoutTests/js/dom/call-link-info-recursion.html
    M Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp

  Log Message:
  -----------
  [JSC] PolymorphicCallNode should unchain itself first in unlink
https://bugs.webkit.org/show_bug.cgi?id=265475
rdar://118893186

Reviewed by Mark Lam.

PolymorphicCallNode::unlinkImpl calls m_callLinkInfo->unlink. But it is 
possible that this CallLinkInfo is
holding PolymorphicCallNode's owner stub and it may clear stub. Previously, we 
are always deferring this stub
destruction until JITStubRoutineSet destroys it. But now, it is possible that 
they get deleted immediately
when owner CodeBlock is dead. This means that after calling 
m_callLinkInfo->unlink, it is possible that PolymorphicCallNode |this|
is already destroyed.

This patch reorders unlink's operation in PolymorphicCallNode so that we first 
unlink it from linked-list.
This is OK since we are not expecting that this is in the linked-list in unlink 
calls. So after m_callLinkInfo->unlink,
we no longer touch anything in PolymorphicCallNode.

* Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallNode::unlinkImpl):

Canonical link: https://commits.webkit.org/271246@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to