Changeset 41243 in webkit for trunk/JavaScriptCore/runtime

Timestamp:

Feb 25, 2009, 11:04:31 PM (16 years ago)

Author:

[email protected]

Message:

2009-02-25 Cameron Zwarich <​[email protected]>

Reviewed by Gavin Barraclough.

Bug 24086: Regression (r40993): WebKit crashes after logging in to lists.zenbe
<​https://bugs.webkit.org/show_bug.cgi?id=24086>
<rdar://problem/6625111>

The numeric sort optimization in r40993 generated bytecode for a function
without generating JIT code. This breaks an assumption in some parts of
the JIT's function calling logic that the presence of a CodeBlock implies
the existence of JIT code.

In order to fix this, we simply generate JIT code whenever we check whether
a function is a numeric sort function. This only incurs an additional cost
in the case when the function is a numeric sort function, in which case it
is not expensive to generate JIT code for it.

JavaScriptCore:

• runtime/ArrayPrototype.cpp: (JSC::isNumericCompareFunction):

LayoutTests:

• fast/js/resources/sort-no-jit-code-crash.js: Added.
• fast/js/sort-no-jit-code-crash-expected.txt: Added.
• fast/js/sort-no-jit-code-crash.html: Added.

File:

• trunk/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (2 diffs)

trunk/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -27 +27 @@
 #include "CodeBlock.h"
 #include "Interpreter.h"
+#include "JIT.h"
 #include "ObjectPrototype.h"
 #include "Lookup.h"
@@ -68 +69 @@
     if (callType != CallTypeJS)
         return false;
-    
-    return callData.js.functionBody->bytecode(callData.js.scopeChain).isNumericCompareFunction();
+
+    CodeBlock& codeBlock = callData.js.functionBody->bytecode(callData.js.scopeChain);
+#if ENABLE(JIT)
+    // If the JIT is enabled then we need to preserve the invariant that every
+    // function with a CodeBlock also has JIT code.
+    if (!codeBlock.jitCode())
+        JIT::compile(callData.js.scopeChain->globalData, &codeBlock);
+#endif
+
+    return codeBlock.isNumericCompareFunction();
 }