Changeset 48590 in webkit for trunk/JavaScriptCore
- Timestamp:
- Sep 21, 2009, 11:59:56 AM (16 years ago)
- Location:
- trunk/JavaScriptCore
- Files:
-
- 3 edited
-
ChangeLog (modified) (1 diff)
-
interpreter/Interpreter.cpp (modified) (1 diff)
-
jit/JITStubs.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r48582 r48590 1 2009-09-21 Oliver Hunt <[email protected]> 2 3 Reviewed by Geoff Garen. 4 5 REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org 6 https://bugs.webkit.org/show_bug.cgi?id=29599 7 8 It is unsafe to attempt to cache new property transitions on 9 dictionaries of any type. 10 11 * interpreter/Interpreter.cpp: 12 (JSC::Interpreter::tryCachePutByID): 13 * jit/JITStubs.cpp: 14 (JSC::JITThunks::tryCachePutByID): 15 1 16 2009-09-21 Oliver Hunt <[email protected]> 2 17 -
trunk/JavaScriptCore/interpreter/Interpreter.cpp
r48582 r48590 989 989 // Structure transition, cache transition info 990 990 if (slot.type() == PutPropertySlot::NewProperty) { 991 if (structure->isDictionary()) { 992 vPC[0] = getOpcode(op_put_by_id_generic); 993 return; 994 } 991 995 vPC[0] = getOpcode(op_put_by_id_transition); 992 996 vPC[4] = structure->previousID(); -
trunk/JavaScriptCore/jit/JITStubs.cpp
r48582 r48590 696 696 if (slot.type() == PutPropertySlot::NewProperty) { 697 697 StructureChain* prototypeChain = structure->prototypeChain(callFrame); 698 if (!prototypeChain->isCacheable() ) {698 if (!prototypeChain->isCacheable() || structure->isDictionary()) { 699 699 ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_put_by_id_generic)); 700 700 return;
Note:
See TracChangeset
for help on using the changeset viewer.
