Ignore:
Timestamp:
Jul 12, 2011, 5:53:17 PM (14 years ago)
Author:
[email protected]
Message:

Overzealous type validation in method_check
https://bugs.webkit.org/show_bug.cgi?id=64415

Reviewed by Gavin Barraclough.

../../../../Volumes/Data/git/WebKit/OpenSource/LayoutTests:

Make sure we don't trip any assertions when caching access
to an InternalFunction

  • fast/js/script-tests/method-check.js:

../../../../Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore:

method_check is essentially just a value look up
optimisation, but it internally stores the value
as a JSFunction, even though it never relies on
this fact. Under GC validation however we end up
trying to enforce that assumption. The fix is
simply to store the value as a correct supertype.

  • bytecode/CodeBlock.h:
  • dfg/DFGRepatch.cpp:

(JSC::DFG::dfgRepatchGetMethodFast):
(JSC::DFG::tryCacheGetMethod):

  • jit/JIT.h:
  • jit/JITPropertyAccess.cpp:

(JSC::JIT::patchMethodCallProto):

  • jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

    r90529 r90875  
    147147        JITWriteBarrier<Structure> cachedStructure;
    148148        JITWriteBarrier<Structure> cachedPrototypeStructure;
    149         JITWriteBarrier<JSFunction> cachedFunction;
     149        // We'd like this to actually be JSFunction, but InternalFunction and JSFunction
     150        // don't have a common parent class and we allow specialisation on both
     151        JITWriteBarrier<JSObjectWithGlobalObject> cachedFunction;
    150152        JITWriteBarrier<JSObject> cachedPrototype;
    151153        bool seen;
Note: See TracChangeset for help on using the changeset viewer.