Title: [185084] trunk/Source/_javascript_Core
- Revision
- 185084
- Author
- [email protected]
- Date
- 2015-06-01 16:35:02 -0700 (Mon, 01 Jun 2015)
Log Message
Crash in com.apple.WebKit.WebContent at com.apple._javascript_Core: JSC::revertCall + 24
https://bugs.webkit.org/show_bug.cgi?id=145527
Reviewed by Filip Pizlo.
If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it.
Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo
is going away.
* bytecode/CallLinkInfo.h:
(JSC::CallLinkInfo::~CallLinkInfo):
* jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallNode::unlink):
(JSC::PolymorphicCallNode::clearCallLinkInfo):
(JSC::PolymorphicCallCase::dump):
(JSC::PolymorphicCallStubRoutine::edges):
(JSC::PolymorphicCallStubRoutine::clearCallNodesFor):
(JSC::PolymorphicCallStubRoutine::visitWeak):
* jit/PolymorphicCallStubRoutine.h:
(JSC::PolymorphicCallNode::hasCallLinkInfo):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (185083 => 185084)
--- trunk/Source/_javascript_Core/ChangeLog 2015-06-01 23:22:22 UTC (rev 185083)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-06-01 23:35:02 UTC (rev 185084)
@@ -1,3 +1,26 @@
+2015-06-01 Michael Saboff <[email protected]>
+
+ Crash in com.apple.WebKit.WebContent at com.apple._javascript_Core: JSC::revertCall + 24
+ https://bugs.webkit.org/show_bug.cgi?id=145527
+
+ Reviewed by Filip Pizlo.
+
+ If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it.
+ Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo
+ is going away.
+
+ * bytecode/CallLinkInfo.h:
+ (JSC::CallLinkInfo::~CallLinkInfo):
+ * jit/PolymorphicCallStubRoutine.cpp:
+ (JSC::PolymorphicCallNode::unlink):
+ (JSC::PolymorphicCallNode::clearCallLinkInfo):
+ (JSC::PolymorphicCallCase::dump):
+ (JSC::PolymorphicCallStubRoutine::edges):
+ (JSC::PolymorphicCallStubRoutine::clearCallNodesFor):
+ (JSC::PolymorphicCallStubRoutine::visitWeak):
+ * jit/PolymorphicCallStubRoutine.h:
+ (JSC::PolymorphicCallNode::hasCallLinkInfo):
+
2015-06-01 Mark Lam <[email protected]>
Add the ability to tell between Catch and Finally blocks.
Modified: trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h (185083 => 185084)
--- trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h 2015-06-01 23:22:22 UTC (rev 185083)
+++ trunk/Source/_javascript_Core/bytecode/CallLinkInfo.h 2015-06-01 23:35:02 UTC (rev 185084)
@@ -67,6 +67,9 @@
~CallLinkInfo()
{
+ if (stub)
+ stub->clearCallNodesFor(this);
+
if (isOnList())
remove();
}
Modified: trunk/Source/_javascript_Core/jit/PolymorphicCallStubRoutine.cpp (185083 => 185084)
--- trunk/Source/_javascript_Core/jit/PolymorphicCallStubRoutine.cpp 2015-06-01 23:22:22 UTC (rev 185083)
+++ trunk/Source/_javascript_Core/jit/PolymorphicCallStubRoutine.cpp 2015-06-01 23:35:02 UTC (rev 185084)
@@ -43,15 +43,25 @@
void PolymorphicCallNode::unlink(RepatchBuffer& repatchBuffer)
{
- if (Options::showDisassembly())
- dataLog("Unlinking polymorphic call at ", m_callLinkInfo->callReturnLocation, ", ", m_callLinkInfo->codeOrigin, "\n");
-
- m_callLinkInfo->unlink(repatchBuffer);
-
+ if (m_callLinkInfo) {
+ if (Options::showDisassembly())
+ dataLog("Unlinking polymorphic call at ", m_callLinkInfo->callReturnLocation, ", ", m_callLinkInfo->codeOrigin, "\n");
+
+ m_callLinkInfo->unlink(repatchBuffer);
+ }
+
if (isOnList())
remove();
}
+void PolymorphicCallNode::clearCallLinkInfo()
+{
+ if (Options::showDisassembly())
+ dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation, ", ", m_callLinkInfo->codeOrigin, "\n");
+
+ m_callLinkInfo = nullptr;
+}
+
void PolymorphicCallCase::dump(PrintStream& out) const
{
out.print("<variant = ", m_variant, ", codeBlock = ", pointerDump(m_codeBlock), ">");
@@ -97,6 +107,16 @@
return result;
}
+void PolymorphicCallStubRoutine::clearCallNodesFor(CallLinkInfo* info)
+{
+ for (Bag<PolymorphicCallNode>::iterator iter = m_callNodes.begin(); !!iter; ++iter) {
+ PolymorphicCallNode& node = **iter;
+ // All nodes should point to info, but okay to be a little paranoid.
+ if (node.hasCallLinkInfo(info))
+ node.clearCallLinkInfo();
+ }
+}
+
bool PolymorphicCallStubRoutine::visitWeak(RepatchBuffer&)
{
for (auto& variant : m_variants) {
Modified: trunk/Source/_javascript_Core/jit/PolymorphicCallStubRoutine.h (185083 => 185084)
--- trunk/Source/_javascript_Core/jit/PolymorphicCallStubRoutine.h 2015-06-01 23:22:22 UTC (rev 185083)
+++ trunk/Source/_javascript_Core/jit/PolymorphicCallStubRoutine.h 2015-06-01 23:35:02 UTC (rev 185084)
@@ -51,6 +51,9 @@
~PolymorphicCallNode();
void unlink(RepatchBuffer&);
+
+ bool hasCallLinkInfo(CallLinkInfo* info) { return m_callLinkInfo == info; }
+ void clearCallLinkInfo();
private:
CallLinkInfo* m_callLinkInfo;
@@ -90,6 +93,8 @@
CallVariantList variants() const;
CallEdgeList edges() const;
+
+ void clearCallNodesFor(CallLinkInfo*);
bool visitWeak(RepatchBuffer&) override;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
