[webkit-changes] [197109] releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore

[carlosgc]

Title: [197109] releases/WebKitGTK/webkit-2.12/Source/_javascript_Core

Revision

197109

Author

carlo...@webkit.org

Date

2016-02-25 06:40:13 -0800 (Thu, 25 Feb 2016)

Log Message

Merge r196996 - B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
https://bugs.webkit.org/show_bug.cgi?id=154592

Reviewed by Saam Barati.

If Foo has a virtual destructor, then:

foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
subclass of Foo that overrides the destructor, this syntax will not call that override.

foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
get the subclass's override.

In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
This caused leaks because this didn't actually call the subclass's override. This fixes the
problem by using this->~Value() instead.

* b3/B3ControlValue.cpp:
(JSC::B3::ControlValue::convertToJump):
(JSC::B3::ControlValue::convertToOops):
* b3/B3Value.cpp:
(JSC::B3::Value::replaceWithIdentity):
(JSC::B3::Value::replaceWithNop):
(JSC::B3::Value::replaceWithPhi):

Modified Paths

• releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3ControlValue.cpp
• releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3Value.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (197108 => 197109)

--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-02-25 14:29:12 UTC (rev 197108)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-02-25 14:40:13 UTC (rev 197109)
@@ -1,3 +1,30 @@
+2016-02-23  Filip Pizlo  <fpi...@apple.com>
+
+        B3::Value doesn't self-destruct virtually enough (Causes many leaks in LowerDFGToB3::appendOSRExit)
+        https://bugs.webkit.org/show_bug.cgi?id=154592
+
+        Reviewed by Saam Barati.
+
+        If Foo has a virtual destructor, then:
+
+        foo->Foo::~Foo() does a non-virtual call to Foo's destructor. Even if foo points to a
+        subclass of Foo that overrides the destructor, this syntax will not call that override.
+
+        foo->~Foo() does a virtual call to the destructor, and so if foo points to a subclass, you
+        get the subclass's override.
+
+        In B3, we used this->Value::~Value() thinking that it would call the subclass's override.
+        This caused leaks because this didn't actually call the subclass's override. This fixes the
+        problem by using this->~Value() instead.
+
+        * b3/B3ControlValue.cpp:
+        (JSC::B3::ControlValue::convertToJump):
+        (JSC::B3::ControlValue::convertToOops):
+        * b3/B3Value.cpp:
+        (JSC::B3::Value::replaceWithIdentity):
+        (JSC::B3::Value::replaceWithNop):
+        (JSC::B3::Value::replaceWithPhi):
+
 2016-02-23  Mark Lam  <mark....@apple.com>
 
         Debug assertion failure while loading http://kangax.github.io/compat-table/es6/.

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3ControlValue.cpp (197108 => 197109)

--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3ControlValue.cpp	2016-02-25 14:29:12 UTC (rev 197108)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3ControlValue.cpp	2016-02-25 14:40:13 UTC (rev 197109)
@@ -57,7 +57,7 @@
     Origin origin = this->origin();
     BasicBlock* owner = this->owner;
 
-    this->ControlValue::~ControlValue();
+    this->~ControlValue();
 
     new (this) ControlValue(Jump, origin, FrequentedBlock(destination));
 
@@ -71,7 +71,7 @@
     Origin origin = this->origin();
     BasicBlock* owner = this->owner;
 
-    this->ControlValue::~ControlValue();
+    this->~ControlValue();
 
     new (this) ControlValue(Oops, origin);
 

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3Value.cpp (197108 => 197109)

--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3Value.cpp	2016-02-25 14:29:12 UTC (rev 197108)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/b3/B3Value.cpp	2016-02-25 14:40:13 UTC (rev 197109)
@@ -71,7 +71,7 @@
 
     RELEASE_ASSERT(type == value->type());
 
-    this->Value::~Value();
+    this->~Value();
 
     new (this) Value(Identity, type, origin, value);
 
@@ -85,7 +85,7 @@
     Origin origin = m_origin;
     BasicBlock* owner = this->owner;
 
-    this->Value::~Value();
+    this->~Value();
 
     new (this) Value(Nop, Void, origin);
 
@@ -105,7 +105,7 @@
     BasicBlock* owner = this->owner;
     Type type = m_type;
 
-    this->Value::~Value();
+    this->~Value();
 
     new (this) Value(Phi, type, origin);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes