Ignore:
Timestamp:
Dec 3, 2013, 2:24:53 PM (12 years ago)
Author:
[email protected]
Message:

ObjectAllocationProfile is racy and the DFG should be cool with that
https://bugs.webkit.org/show_bug.cgi?id=125172
<rdar://problem/15233487>

Reviewed by Mark Hahnenberg.

We would previously sometimes get a null Structure because checking if the profile is non-null and loading
the structure from it were two separate operations.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

  • dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::setFuturePossibleStructure):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

  • runtime/JSFunction.h:

(JSC::JSFunction::allocationProfile):
(JSC::JSFunction::allocationStructure):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

    r156047 r160038  
    154154void AbstractValue::setFuturePossibleStructure(Graph& graph, Structure* structure)
    155155{
     156    ASSERT(structure);
    156157    if (graph.watchpoints().isStillValid(structure->transitionWatchpointSet()))
    157158        m_futurePossibleStructure = structure;
Note: See TracChangeset for help on using the changeset viewer.