Changeset 190827 in webkit for trunk/Source/JavaScriptCore/dfg/DFGJITCode.h

Timestamp:

Oct 9, 2015, 4:10:16 PM (10 years ago)

Author:

[email protected]

Message:

2015-10-09 Geoffrey Garen <​[email protected]>

Unreviewed, rolling back in r190694
​https://bugs.webkit.org/show_bug.cgi?id=149727

This time for double sure?

The cause of the crash was an incorrect write barrier.

OSR exit was barriering the baseline codeblock for the top of the stack
twice, missing the baseline codeblock for the bottom of the stack.

Restored changesets:

"CodeBlock should be a GC object"
​https://bugs.webkit.org/show_bug.cgi?id=149727
​http://trac.webkit.org/changeset/r190694

File:

• trunk/Source/JavaScriptCore/dfg/DFGJITCode.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGJITCode.h

@@ -29 +29 @@
 #if ENABLE(DFG_JIT)
 
+#include "CodeBlock.h"
 #include "CompilationResult.h"
 #include "DFGCommonData.h"
@@ -117 +118 @@
 
     RegisterSet liveRegistersToPreserveAtExceptionHandlingCallSite(CodeBlock*, CallSiteIndex) override;
-
+#if ENABLE(FTL_JIT)
+    CodeBlock* osrEntryBlock() { return m_osrEntryBlock.get(); }
+    void setOSREntryBlock(VM& vm, const JSCell* owner, CodeBlock* osrEntryBlock) { m_osrEntryBlock.set(vm, owner, osrEntryBlock); }
+    void clearOSREntryBlock() { m_osrEntryBlock.clear(); }
+#endif
+    
 private:
     friend class JITCompiler; // Allow JITCompiler to call setCodeRef().
@@ -131 +137 @@
     uint8_t nestedTriggerIsSet { 0 };
     UpperTierExecutionCounter tierUpCounter;
-    RefPtr<CodeBlock> osrEntryBlock;
+    WriteBarrier<CodeBlock> m_osrEntryBlock;
     unsigned osrEntryRetry;
     bool abandonOSREntry;