Context Navigation

← Previous Change
Next Change →

bytecode

Timestamp:

May 3, 2010, 3:18:59 PM (15 years ago)

Author:

[email protected]

Message:

2010-05-03 Oliver Hunt <[email protected]>

Reviewed by Maciej Stachowiak.

Interpreter crashes due to incorrect refcounting of cached structures.
https://bugs.webkit.org/show_bug.cgi?id=38491
rdar://problem/7926160

Make sure we ref/deref structures used for cached custom property getters

bytecode/CodeBlock.cpp: (JSC::CodeBlock::derefStructures): (JSC::CodeBlock::refStructures):

2010-05-03 Oliver Hunt <[email protected]>

Reviewed by Maciej Stachowiak.

Interpreter crashes due to incorrect refcounting of cached structures.
https://bugs.webkit.org/show_bug.cgi?id=38491

Add test for cached structure chains used for custom getters.

fast/js/pic/cached-named-property-getter.html:

File:

: 1 edited

trunk/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

-              r57955
+              r58705
         return;
+    }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_proto)) {
         vPC[4].u.structure->deref();
         vPC[5].u.structure->deref();
         return;
+    }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         vPC[4].u.structure->deref();
         vPC[5].u.structureChain->deref();
 …
         || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_self_list))
         || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto_list))
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_self_list))) {
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_self_list))
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_proto_list))
+        || (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_self_list))) {
         PolymorphicAccessStructureList* polymorphicStructures = vPC[4].u.polymorphicStructures;
         polymorphicStructures->derefStructures(vPC[5].u.operand);
 …
         return;
+    }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_proto) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_proto)) {
         vPC[4].u.structure->ref();
         vPC[5].u.structure->ref();
         return;
+    }
     if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain)) {
+    if (vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_getter_chain) || vPC[0].u.opcode == interpreter->getOpcode(op_get_by_id_custom_chain)) {
         vPC[4].u.structure->ref();
         vPC[5].u.structureChain->ref();

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 58705 in webkit for trunk/JavaScriptCore/bytecode

Legend:

trunk/JavaScriptCore/bytecode/CodeBlock.cpp

Download in other formats: