[webkit-changes] [191350] trunk/Source/JavaScriptCore

[sbarati]

Title: [191350] trunk/Source/_javascript_Core

Revision

191350

Author

sbar...@apple.com

Date

2015-10-20 11:37:38 -0700 (Tue, 20 Oct 2015)

Log Message

GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
https://bugs.webkit.org/show_bug.cgi?id=150351

Reviewed by Mark Lam.

We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
replaces its m_stubRoutine.

* jit/GCAwareJITStubRoutine.cpp:
(JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
(JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
(JSC::createJITStubRoutine):
(JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
* jit/GCAwareJITStubRoutine.h:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp
• trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (191349 => 191350)

--- trunk/Source/_javascript_Core/ChangeLog	2015-10-20 18:33:38 UTC (rev 191349)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-10-20 18:37:38 UTC (rev 191350)
@@ -1,3 +1,24 @@
+2015-10-20  Saam barati  <sbar...@apple.com>
+
+        GCAwareJITStubRoutineWithExceptionHandler has a stale CodeBlock pointer in its destructor
+        https://bugs.webkit.org/show_bug.cgi?id=150351
+
+        Reviewed by Mark Lam.
+
+        We may regenerate many GCAwareJITStubRoutineWithExceptionHandler stubs per one PolymorphicAccess.
+        Only the last GCAwareJITStubRoutineWithExceptionHandler stub that was generated will get the CodeBlock's aboutToDie()
+        notification. All other GCAwareJITStubRoutineWithExceptionHandler stubs will still be holding a stale CodeBlock pointer
+        that they will use in their destructor. The solution is to have GCAwareJITStubRoutineWithExceptionHandler remove its
+        exception handler in observeZeroRefCount() instead of its destructor. observeZeroRefCount() will run when a PolymorphicAccess
+        replaces its m_stubRoutine.
+
+        * jit/GCAwareJITStubRoutine.cpp:
+        (JSC::GCAwareJITStubRoutineWithExceptionHandler::aboutToDie):
+        (JSC::GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount):
+        (JSC::createJITStubRoutine):
+        (JSC::GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler): Deleted.
+        * jit/GCAwareJITStubRoutine.h:
+
 2015-10-20  Tim Horton  <timothy_hor...@apple.com>
 
         Try to fix the build by disabling MAC_GESTURE_EVENTS on 10.9 and 10.10

Modified: trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp (191349 => 191350)

--- trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp	2015-10-20 18:33:38 UTC (rev 191349)
+++ trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.cpp	2015-10-20 18:37:38 UTC (rev 191350)
@@ -113,15 +113,18 @@
     m_codeBlockWithExceptionHandler = nullptr;
 }
 
-GCAwareJITStubRoutineWithExceptionHandler::~GCAwareJITStubRoutineWithExceptionHandler()
+void GCAwareJITStubRoutineWithExceptionHandler::observeZeroRefCount()
 {
     if (m_codeBlockWithExceptionHandler) {
         m_codeBlockWithExceptionHandler->jitCode()->dfgCommon()->removeCallSiteIndex(m_exceptionHandlerCallSiteIndex);
         m_codeBlockWithExceptionHandler->removeExceptionHandlerForCallSite(m_exceptionHandlerCallSiteIndex);
+        m_codeBlockWithExceptionHandler = nullptr;
     }
+
+    Base::observeZeroRefCount();
 }
-    
 
+
 PassRefPtr<JITStubRoutine> createJITStubRoutine(
     const MacroAssemblerCodeRef& code,
     VM& vm,

Modified: trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.h (191349 => 191350)

--- trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.h	2015-10-20 18:33:38 UTC (rev 191349)
+++ trunk/Source/_javascript_Core/jit/GCAwareJITStubRoutine.h	2015-10-20 18:37:38 UTC (rev 191350)
@@ -95,10 +95,12 @@
 // for new exception handlers to use the same CallSiteIndex.
 class GCAwareJITStubRoutineWithExceptionHandler : public GCAwareJITStubRoutine {
 public:
+    typedef GCAwareJITStubRoutine Base;
+
     GCAwareJITStubRoutineWithExceptionHandler(const MacroAssemblerCodeRef&, VM&, CodeBlock*, CallSiteIndex);
-    ~GCAwareJITStubRoutineWithExceptionHandler() override;
 
     void aboutToDie() override;
+    void observeZeroRefCount() override;
 
 private:
     CodeBlock* m_codeBlockWithExceptionHandler;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes