Changeset 156192 in webkit for trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

Timestamp:

Sep 20, 2013, 1:23:33 PM (12 years ago)

Author:

[email protected]

Message:

Clobberize phase forgets to indicate that it writes GCState for several node types
​https://bugs.webkit.org/show_bug.cgi?id=121702

Reviewed by Oliver Hunt.

Added read and write for GCState to the nodes that could end up allocating (and thereby
cause a garbage collection).

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

File:

• trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (6 diffs)

trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -127 +127 @@
     case InlineStart:
     case Breakpoint:
-    case CreateActivation:
-    case CreateArguments:
     case PhantomArguments:
     case Jump:
@@ -144 +142 @@
         return;
 
+    case CreateActivation:
+    case CreateArguments:
+        write(SideState);
+        read(GCState);
+        write(GCState);
+        return;
+
     // These are forward-exiting nodes that assume that the subsequent instruction
     // is a MovHint, and they try to roll forward over this MovHint in their
@@ -153 +158 @@
         return;
         
+    case ToThis:
     case CreateThis:
-    case ToThis:
+        read(MiscFields);
+        read(GCState);
+        write(GCState);
+        return;
+
     case VarInjectionWatchpoint:
     case AllocationProfileWatchpoint:
@@ -416 +426 @@
     case AllocatePropertyStorage:
         write(JSObject_butterfly);
+        read(GCState);
+        write(GCState);
         return;
         
@@ -421 +433 @@
         read(JSObject_butterfly);
         write(JSObject_butterfly);
+        read(GCState);
+        write(GCState);
         return;
         
@@ -433 +447 @@
         write(JSCell_structure);
         write(JSObject_butterfly);
+        read(GCState);
+        write(GCState);
         return;