Changeset 190827 in webkit for trunk/Source/JavaScriptCore/dfg/DFGDesiredTransitions.cpp

Timestamp:

Oct 9, 2015, 4:10:16 PM (10 years ago)

Author:

[email protected]

Message:

2015-10-09 Geoffrey Garen <​[email protected]>

Unreviewed, rolling back in r190694
​https://bugs.webkit.org/show_bug.cgi?id=149727

This time for double sure?

The cause of the crash was an incorrect write barrier.

OSR exit was barriering the baseline codeblock for the top of the stack
twice, missing the baseline codeblock for the bottom of the stack.

Restored changesets:

"CodeBlock should be a GC object"
​https://bugs.webkit.org/show_bug.cgi?id=149727
​http://trac.webkit.org/changeset/r190694

File:

• trunk/Source/JavaScriptCore/dfg/DFGDesiredTransitions.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGDesiredTransitions.cpp

@@ -35 +35 @@
 namespace JSC { namespace DFG {
 
-DesiredTransition::DesiredTransition(CodeBlock* codeBlock, ScriptExecutable* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
+DesiredTransition::DesiredTransition(CodeBlock* codeBlock, CodeBlock* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
     : m_codeBlock(codeBlock)
     , m_codeOriginOwner(codeOriginOwner)
@@ -47 +47 @@
     common->transitions.append(
         WeakReferenceTransition(
-            vm, m_codeBlock->ownerExecutable(),
+            vm, m_codeBlock,
             m_codeOriginOwner,
             m_oldStructure, m_newStructure));
@@ -67 +67 @@
 }
 
-void DesiredTransitions::addLazily(CodeBlock* codeBlock, ScriptExecutable* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
+void DesiredTransitions::addLazily(CodeBlock* codeBlock, CodeBlock* codeOriginOwner, Structure* oldStructure, Structure* newStructure)
 {
     m_transitions.append(DesiredTransition(codeBlock, codeOriginOwner, oldStructure, newStructure));