Changeset 46210 in webkit for trunk/JavaScriptCore/bytecode/CodeBlock.cpp

Timestamp:

Jul 21, 2009, 9:03:32 PM (16 years ago)

Author:

[email protected]

Message:

JavaScriptCore:

2009-07-21 Zoltan Herczeg <​[email protected]>

Reviewed by Gavin Barraclough.

Cache not only the structure of the method, but the
structure of its prototype as well.
​https://bugs.webkit.org/show_bug.cgi?id=27077

• bytecode/CodeBlock.cpp: (JSC::CodeBlock::~CodeBlock):
• bytecode/CodeBlock.h: (JSC::MethodCallLinkInfo::MethodCallLinkInfo):
• jit/JITPropertyAccess.cpp: (JSC::JIT::patchMethodCallProto):

LayoutTests:

2009-07-21 Zoltan Herczeg <​[email protected]>

Reviewed by Gavin Barraclough, RS olliej fix to make the test pass.

Check whether a crash happens after the string
prototype is overwritten twice. The JIT'ed code
may crash if one of its already cached method
called again. Note: This test is not necessary
crash on all systems, because they use different
memory allocators!
​https://bugs.webkit.org/show_bug.cgi?id=27077

• fast/js/method-check-expected.txt: Added.
• fast/js/method-check.html: Added.
• fast/js/resources/method-check.js: Added. (func2): (func.String.prototype.a): (func.String.prototype.b): (func):

File:

• trunk/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1320 +1320 @@
 
     for (size_t size = m_methodCallLinkInfos.size(), i = 0; i < size; ++i) {
-        if (Structure* structure = m_methodCallLinkInfos[i].cachedStructure)
+        if (Structure* structure = m_methodCallLinkInfos[i].cachedStructure) {
             structure->deref();
+            // Both members must be filled at the same time
+            ASSERT(m_methodCallLinkInfos[i].cachedPrototypeStructure);
+            m_methodCallLinkInfos[i].cachedPrototypeStructure->deref();
+        }
     }