Modified: trunk/Source/_javascript_Core/ChangeLog (129271 => 129272)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-21 23:22:18 UTC (rev 129271)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-21 23:29:30 UTC (rev 129272)
@@ -1,5 +1,30 @@
2012-09-21 Filip Pizlo <[email protected]>
+ REGRESSION (r128400): Opening Google Web Fonts page hangs or crashes
+ https://bugs.webkit.org/show_bug.cgi?id=97328
+
+ Reviewed by Mark Hahnenberg.
+
+ It's a bad idea to emit stub code that reallocates property storage when we're in indexed
+ storage mode. DFGRepatch.cpp knew this and had the appropriate check in one of the places,
+ but it didn't have it in all of the places.
+
+ This change also adds some more handy disassembly support, which I used to find the bug.
+
+ * assembler/LinkBuffer.h:
+ (JSC):
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::generateProtoChainAccessStub):
+ (JSC::DFG::tryCacheGetByID):
+ (JSC::DFG::tryBuildGetByIDList):
+ (JSC::DFG::emitPutReplaceStub):
+ (JSC::DFG::emitPutTransitionStub):
+ (JSC::DFG::tryCachePutByID):
+ * jit/JITStubRoutine.h:
+ (JSC):
+
+2012-09-21 Filip Pizlo <[email protected]>
+
DFG CSE assumes that a holy PutByVal does not interfere with GetArrayLength, when it clearly does
https://bugs.webkit.org/show_bug.cgi?id=97373
Modified: trunk/Source/_javascript_Core/assembler/LinkBuffer.h (129271 => 129272)
--- trunk/Source/_javascript_Core/assembler/LinkBuffer.h 2012-09-21 23:22:18 UTC (rev 129271)
+++ trunk/Source/_javascript_Core/assembler/LinkBuffer.h 2012-09-21 23:29:30 UTC (rev 129272)
@@ -287,6 +287,9 @@
#define FINALIZE_CODE(linkBufferReference, dataLogArgumentsForHeading) \
FINALIZE_CODE_IF(Options::showDisassembly(), linkBufferReference, dataLogArgumentsForHeading)
+#define FINALIZE_DFG_CODE(linkBufferReference, dataLogArgumentsForHeading) \
+ FINALIZE_CODE_IF(Options::showDFGDisassembly(), linkBufferReference, dataLogArgumentsForHeading)
+
} // namespace JSC
#endif // ENABLE(ASSEMBLER)
Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (129271 => 129272)
--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-09-21 23:22:18 UTC (rev 129271)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-09-21 23:29:30 UTC (rev 129272)
@@ -216,7 +216,7 @@
linkRestoreScratch(patchBuffer, needToRestoreScratch, success, fail, failureCases, successLabel, slowCaseLabel);
- stubRoutine = FINALIZE_CODE_FOR_STUB(
+ stubRoutine = FINALIZE_CODE_FOR_DFG_STUB(
patchBuffer,
("DFG prototype chain access stub for CodeBlock %p, return point %p",
exec->codeBlock(), successLabel.executableAddress()));
@@ -277,7 +277,7 @@
linkRestoreScratch(patchBuffer, needToRestoreScratch, stubInfo, success, fail, failureCases);
- stubInfo.stubRoutine = FINALIZE_CODE_FOR_STUB(
+ stubInfo.stubRoutine = FINALIZE_CODE_FOR_DFG_STUB(
patchBuffer,
("DFG GetById array length stub for CodeBlock %p, return point %p",
exec->codeBlock(), stubInfo.callReturnLocation.labelAtOffset(
@@ -506,7 +506,7 @@
RefPtr<JITStubRoutine> stubRoutine =
createJITStubRoutine(
- FINALIZE_CODE(
+ FINALIZE_DFG_CODE(
patchBuffer,
("DFG GetById polymorphic list access for CodeBlock %p, return point %p",
exec->codeBlock(), stubInfo.callReturnLocation.labelAtOffset(
@@ -717,7 +717,7 @@
patchBuffer.link(success, stubInfo.callReturnLocation.labelAtOffset(stubInfo.patch.dfg.deltaCallToDone));
patchBuffer.link(failure, failureLabel);
- stubRoutine = FINALIZE_CODE_FOR_STUB(
+ stubRoutine = FINALIZE_CODE_FOR_DFG_STUB(
patchBuffer,
("DFG PutById replace stub for CodeBlock %p, return point %p",
exec->codeBlock(), stubInfo.callReturnLocation.labelAtOffset(
@@ -917,9 +917,11 @@
stubRoutine =
createJITStubRoutine(
- FINALIZE_CODE(
+ FINALIZE_DFG_CODE(
patchBuffer,
- ("DFG PutById transition stub for CodeBlock %p, return point %p",
+ ("DFG PutById %stransition stub (%p -> %p) for CodeBlock %p, return point %p",
+ structure->outOfLineCapacity() != oldStructure->outOfLineCapacity() ? "reallocating " : "",
+ oldStructure, structure,
exec->codeBlock(), stubInfo.callReturnLocation.labelAtOffset(
stubInfo.patch.dfg.deltaCallToDone).executableAddress())),
*globalData,
@@ -957,6 +959,11 @@
&& oldStructure->outOfLineCapacity())
return false;
+ // Skip optimizing the case where we need realloc, and the structure has
+ // indexing storage.
+ if (hasIndexingHeader(oldStructure->indexingType()))
+ return false;
+
normalizePrototypeChain(exec, baseCell);
StructureChain* prototypeChain = structure->prototypeChain(exec);
Modified: trunk/Source/_javascript_Core/jit/JITStubRoutine.h (129271 => 129272)
--- trunk/Source/_javascript_Core/jit/JITStubRoutine.h 2012-09-21 23:22:18 UTC (rev 129271)
+++ trunk/Source/_javascript_Core/jit/JITStubRoutine.h 2012-09-21 23:29:30 UTC (rev 129272)
@@ -153,6 +153,9 @@
#define FINALIZE_CODE_FOR_STUB(patchBuffer, dataLogArguments) \
(adoptRef(new JITStubRoutine(FINALIZE_CODE((patchBuffer), dataLogArguments))))
+#define FINALIZE_CODE_FOR_DFG_STUB(patchBuffer, dataLogArguments) \
+ (adoptRef(new JITStubRoutine(FINALIZE_DFG_CODE((patchBuffer), dataLogArguments))))
+
} // namespace JSC
#endif // ENABLE(JIT)
