64387 2011-07-12 13:46:27 -0700 DFG JIT put_by_id transition caching does not inform the GC about the structure and prototype chain that it is referencing 2011-07-12 14:52:09 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 0 fpizlo webkit-unassigned webkit.review.bot oldest_to_newest 435919 0 fpizlo 2011-07-12 13:46:27 -0700 The DFG JIT, like the old JIT, may perform put_by_id transition caching. In a transition cache, code is emitted that changes the structure of an object, so long as the object has a specific previous structure, and it has a specific prototype chain. The code contains immediates referencing the old structure, the new structure, and the prototype chain. Hence, the code is only correct if the GC keeps all of these objects (structures and prototypes) alive. To do so, the DFG JIT must inform the GC that it has pinned those objects. Currently, the DFG JIT does not do this, which results in spurious crashes on websites like gmail.com. 435931 1 100557 fpizlo 2011-07-12 14:02:16 -0700 Created attachment 100557 the patch 435986 2 100557 webkit.review.bot 2011-07-12 14:52:05 -0700 Comment on attachment 100557 the patch Clearing flags on attachment: 100557 Committed r90854: <http://trac.webkit.org/changeset/90854> 435987 3 webkit.review.bot 2011-07-12 14:52:09 -0700 All reviewed patches have been landed. Closing bug. 100557 2011-07-12 14:02:16 -0700 2011-07-12 14:52:05 -0700 the patch puttransitiongcfix_patch_1.diff text/plain 1560 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gOTA4NDQpCisrKyBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAK KzIwMTEtMDctMTIgIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KKworICAgICAgICBE RkcgSklUIHB1dF9ieV9pZCB0cmFuc2l0aW9uIGNhY2hpbmcgZG9lcyBub3QgaW5mb3JtIHRoZSBH QyBhYm91dCB0aGUgc3RydWN0dXJlIGFuZAorICAgICAgICBwcm90b3R5cGUgY2hhaW4gdGhhdCBp dCBpcyByZWZlcmVuY2luZy4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTY0Mzg3CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisg ICAgICAgIAorICAgICAgICBGaXhlZCB0aGUgcmVsZXZhbnQgY29kZSBpbiBERkdSZXBhdGNoIHRv IGNhbGwgU3RydWN0dXJlU3R1YkluZm86OmluaXRQdXRCeUlkVHJhbnNpdGlvbigpLgorCisgICAg ICAgICogZGZnL0RGR1JlcGF0Y2guY3BwOgorICAgICAgICAoSlNDOjpERkc6OnRyeUNhY2hlUHV0 QnlJRCk6CisKIDIwMTEtMDctMTIgIEFkYW0gUm9iZW4gIDxhcm9iZW5AYXBwbGUuY29tPgogCiAg ICAgICAgIEVuc3VyZSBubyBpbnRlcm1lZGlhdGUgV1RGOjpTdHJpbmdzIGFyZSBjcmVhdGVkIHdo ZW4gY29uY2F0ZW5hdGluZyB3aXRoIHN0cmluZyBsaXRlcmFscwpJbmRleDogU291cmNlL0phdmFT Y3JpcHRDb3JlL2RmZy9ERkdSZXBhdGNoLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2YVNj cmlwdENvcmUvZGZnL0RGR1JlcGF0Y2guY3BwCShyZXZpc2lvbiA5MDg0MSkKKysrIFNvdXJjZS9K YXZhU2NyaXB0Q29yZS9kZmcvREZHUmVwYXRjaC5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTQxMyw2 ICs0MTMsOCBAQCBzdGF0aWMgYm9vbCB0cnlDYWNoZVB1dEJ5SUQoRXhlY1N0YXRlKiBlCiAgICAg ICAgICAgICByZXBhdGNoQnVmZmVyLnJlbGluayhzdHViSW5mby5jYWxsUmV0dXJuTG9jYXRpb24u anVtcEF0T2Zmc2V0KHN0dWJJbmZvLmRlbHRhQ2FsbFRvU3RydWN0Q2hlY2spLCBlbnRyeUxhYmVs KTsKICAgICAgICAgICAgIHJlcGF0Y2hCdWZmZXIucmVsaW5rKHN0dWJJbmZvLmNhbGxSZXR1cm5M b2NhdGlvbiwgYXBwcm9wcmlhdGVQdXRCeUlkRnVuY3Rpb24oc2xvdCwgcHV0S2luZCkpOwogICAg ICAgICAgICAgCisgICAgICAgICAgICBzdHViSW5mby5pbml0UHV0QnlJZFRyYW5zaXRpb24oKmds b2JhbERhdGEsIGNvZGVCbG9jay0+b3duZXJFeGVjdXRhYmxlKCksIG9sZFN0cnVjdHVyZSwgc3Ry dWN0dXJlLCBwcm90b3R5cGVDaGFpbik7CisgICAgICAgICAgICAKICAgICAgICAgICAgIHJldHVy biB0cnVlOwogICAgICAgICB9CiAK