[webkit-changes] [174121] trunk/Source/JavaScriptCore

[fpizlo]

Title: [174121] trunk/Source/_javascript_Core

Revision

174121

Author

fpi...@apple.com

Date

2014-09-30 14:02:47 -0700 (Tue, 30 Sep 2014)

Log Message

REGRESSION (r174025): Invalid cast in JSC::asString
https://bugs.webkit.org/show_bug.cgi?id=137224

Reviewed by Geoffrey Garen.
        
Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
when we speak of "the value being stored" we are really referring to the right value.
        
The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
child3. So we were incorrectly removing all barriers from PutClosureVar.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (174120 => 174121)

--- trunk/Source/_javascript_Core/ChangeLog	2014-09-30 20:36:54 UTC (rev 174120)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-09-30 21:02:47 UTC (rev 174121)
@@ -1,3 +1,19 @@
+2014-09-30  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION (r174025): Invalid cast in JSC::asString
+        https://bugs.webkit.org/show_bug.cgi?id=137224
+
+        Reviewed by Geoffrey Garen.
+        
+        Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
+        when we speak of "the value being stored" we are really referring to the right value.
+        
+        The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
+        child3. So we were incorrectly removing all barriers from PutClosureVar.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
 2014-09-30  Brian J. Burg  <b...@cs.washington.edu>
 
         Web Replay: use static Strings instead of AtomicStrings for replay input type tags

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (174120 => 174121)

--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2014-09-30 20:36:54 UTC (rev 174120)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2014-09-30 21:02:47 UTC (rev 174121)
@@ -854,7 +854,7 @@
 
         case PutClosureVar: {
             fixEdge<KnownCellUse>(node->child1());
-            insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
+            insertStoreBarrier(m_indexInBlock, node->child1(), node->child3());
             break;
         }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes