Context Navigation

← Previous Changeset
Next Changeset →

Changeset 46210 in webkit

Timestamp:

Jul 21, 2009, 9:03:32 PM (16 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2009-07-21 Zoltan Herczeg <[email protected]>

Reviewed by Gavin Barraclough.

Cache not only the structure of the method, but the
structure of its prototype as well.
https://bugs.webkit.org/show_bug.cgi?id=27077

bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock):
bytecode/CodeBlock.h: (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto):

LayoutTests:

2009-07-21 Zoltan Herczeg <[email protected]>

Reviewed by Gavin Barraclough, RS olliej fix to make the test pass.

Check whether a crash happens after the string
prototype is overwritten twice. The JIT'ed code
may crash if one of its already cached method
called again. Note: This test is not necessary
crash on all systems, because they use different
memory allocators!
https://bugs.webkit.org/show_bug.cgi?id=27077

fast/js/method-check-expected.txt: Added.
fast/js/method-check.html: Added.
fast/js/resources/method-check.js: Added. (func2): (func.String.prototype.a): (func.String.prototype.b): (func):

Location:

trunk

Files:

: 3 added
: 5 edited

JavaScriptCore/ChangeLog (modified) (1 diff)
JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
JavaScriptCore/bytecode/CodeBlock.h (modified) (2 diffs)
JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (1 diff)
LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/fast/js/method-check-expected.txt (added)
LayoutTests/fast/js/method-check.html (added)
LayoutTests/fast/js/resources/method-check.js (added)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/ChangeLog

-              r46209
+              r46210
+-07-21  Zoltan Herczeg  <[email protected]>
+        Reviewed by Gavin Barraclough.
+        Cache not only the structure of the method, but the
+        structure of its prototype as well.
+        https://bugs.webkit.org/show_bug.cgi?id=27077
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::~CodeBlock):
+        * bytecode/CodeBlock.h:
+        (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::patchMethodCallProto):
 -07-21  Gavin Barraclough  <[email protected]>

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

-              r46004
+              r46210
     for (size_t size = m_methodCallLinkInfos.size(), i = 0; i < size; ++i) {
         if (Structure* structure = m_methodCallLinkInfos[i].cachedStructure)
+        if (Structure* structure = m_methodCallLinkInfos[i].cachedStructure) {
             structure->deref();
+            // Both members must be filled at the same time
+            ASSERT(m_methodCallLinkInfos[i].cachedPrototypeStructure);
+            m_methodCallLinkInfos[i].cachedPrototypeStructure->deref();
+        }
+    }

trunk/JavaScriptCore/bytecode/CodeBlock.h

-              r45995
+              r46210
         MethodCallLinkInfo()
             : cachedStructure(0)
+            , cachedPrototypeStructure(0)
+        {
+        }
 …
         CodeLocationDataLabelPtr structureLabel;
         Structure* cachedStructure;
+        Structure* cachedPrototypeStructure;
     };

trunk/JavaScriptCore/jit/JITPropertyAccess.cpp

-              r46202
+              r46210
     structure->ref();
+    Structure* prototypeStructure = proto->structure();
+    ASSERT(!methodCallLinkInfo.cachedPrototypeStructure);
+    methodCallLinkInfo.cachedPrototypeStructure = prototypeStructure;
+    prototypeStructure->ref();
     repatchBuffer.repatch(methodCallLinkInfo.structureLabel, structure);
     repatchBuffer.repatch(methodCallLinkInfo.structureLabel.dataLabelPtrAtOffset(patchOffsetMethodCheckProtoObj), proto);
     repatchBuffer.repatch(methodCallLinkInfo.structureLabel.dataLabelPtrAtOffset(patchOffsetMethodCheckProtoStruct), proto->structure());
+    repatchBuffer.repatch(methodCallLinkInfo.structureLabel.dataLabelPtrAtOffset(patchOffsetMethodCheckProtoStruct), prototypeStructure);
     repatchBuffer.repatch(methodCallLinkInfo.structureLabel.dataLabelPtrAtOffset(patchOffsetMethodCheckPutFunction), callee);
+}

trunk/LayoutTests/ChangeLog

-              r46208
+              r46210
+-07-21  Zoltan Herczeg  <[email protected]>
+        Reviewed by Gavin Barraclough, RS olliej fix to make the test pass.
+        Check whether a crash happens after the string
+        prototype is overwritten twice. The JIT'ed code
+        may crash if one of its already cached method
+        called again. Note: This test is not necessary
+        crash on all systems, because they use different
+        memory allocators!
+        https://bugs.webkit.org/show_bug.cgi?id=27077
+        * fast/js/method-check-expected.txt: Added.
+        * fast/js/method-check.html: Added.
+        * fast/js/resources/method-check.js: Added.
+        (func2):
+        (func.String.prototype.a):
+        (func.String.prototype.b):
+        (func):
 -07-21  Dan Bernstein  <[email protected]>

Note: See TracChangeset for help on using the changeset viewer.