Changeset 190827 in webkit for trunk/Source/JavaScriptCore/dfg/DFGPlan.h

Timestamp:

Oct 9, 2015, 4:10:16 PM (10 years ago)

Author:

[email protected]

Message:

2015-10-09 Geoffrey Garen <​[email protected]>

Unreviewed, rolling back in r190694
​https://bugs.webkit.org/show_bug.cgi?id=149727

This time for double sure?

The cause of the crash was an incorrect write barrier.

OSR exit was barriering the baseline codeblock for the top of the stack
twice, missing the baseline codeblock for the bottom of the stack.

Restored changesets:

"CodeBlock should be a GC object"
​https://bugs.webkit.org/show_bug.cgi?id=149727
​http://trac.webkit.org/changeset/r190694

File:

• trunk/Source/JavaScriptCore/dfg/DFGPlan.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGPlan.h

@@ -56 +56 @@
 struct Plan : public ThreadSafeRefCounted<Plan> {
     Plan(
-        PassRefPtr<CodeBlock> codeBlockToCompile, CodeBlock* profiledDFGCodeBlock,
+        CodeBlock* codeBlockToCompile, CodeBlock* profiledDFGCodeBlock,
         CompilationMode, unsigned osrEntryBytecodeIndex,
         const Operands<JSValue>& mustHandleValues);
@@ -72 +72 @@
     CompilationKey key();
     
-    void clearCodeBlockMarks();
+    void rememberCodeBlocks();
     void checkLivenessAndVisitChildren(SlotVisitor&);
     bool isKnownToBeLiveDuringGC();
@@ -78 +78 @@
     
     VM& vm;
-    RefPtr<CodeBlock> codeBlock;
-    RefPtr<CodeBlock> profiledDFGCodeBlock;
+
+    // These can be raw pointers because we visit them during every GC in checkLivenessAndVisitChildren.
+    CodeBlock* codeBlock;
+    CodeBlock* profiledDFGCodeBlock;
+
     CompilationMode mode;
     const unsigned osrEntryBytecodeIndex;