Ignore:
Timestamp:
Oct 2, 2015, 2:16:20 PM (10 years ago)
Author:
[email protected]
Message:

Unreviewed, rolling back in r190450
https://bugs.webkit.org/show_bug.cgi?id=149727

The cause of the crash was a CodeBlock, after surviving a call to
deleteAllCode by virtue of being in the remembered set, trying to mark
its inlined CodeBlocks via pointers from its inlined executables.
Since deleteAllCode clears those pointers, the CodeBlock would ASSERT.
(Any other choice to retain a CodeBlock after deleteAllCode -- for
example, conservative marking -- could trigger the same bug.)

The fix is for InlineCallFrame to point directly to its inlined CodeBlock
instead of pointing indirectly via an executable. This guarantees that
CodeBlocks are GC safe regardless of whether we've called deleteAllCode.

Restored changesets:

"CodeBlock should be a GC object"
https://bugs.webkit.org/show_bug.cgi?id=149727
http://trac.webkit.org/changeset/190450

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

    r190453 r190522  
    577577            && !structure->typeInfo().prohibitsPropertyCaching()
    578578            && !structure->typeInfo().newImpurePropertyFiresWatchpoints()) {
    579             vm.heap.writeBarrier(codeBlock->ownerExecutable());
     579            vm.heap.writeBarrier(codeBlock);
    580580           
    581581            ConcurrentJITLocker locker(codeBlock->m_lock);
     
    642642            && baseCell == slot.base()) {
    643643
    644             vm.heap.writeBarrier(codeBlock->ownerExecutable());
     644            vm.heap.writeBarrier(codeBlock);
    645645           
    646646            if (slot.type() == PutPropertySlot::NewProperty) {
     
    659659                            ASSERT(chain);
    660660                            pc[7].u.structureChain.set(
    661                                 vm, codeBlock->ownerExecutable(), chain);
     661                                vm, codeBlock, chain);
    662662                        }
    663663                        pc[8].u.putByIdFlags = static_cast<PutByIdFlags>(
     
    11911191        if (callLinkInfo->isOnList())
    11921192            callLinkInfo->remove();
    1193         callLinkInfo->callee.set(vm, callerCodeBlock->ownerExecutable(), callee);
    1194         callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock->ownerExecutable(), callee);
     1193        callLinkInfo->callee.set(vm, callerCodeBlock, callee);
     1194        callLinkInfo->lastSeenCallee.set(vm, callerCodeBlock, callee);
    11951195        callLinkInfo->machineCodeTarget = codePtr;
    11961196        if (codeBlock)
Note: See TracChangeset for help on using the changeset viewer.