Bug 131654

Summary: emit_op_put_by_id should not emit a write barrier that filters on value
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch fpizlo: review+

Mark Hahnenberg
Reported 2014-04-14 18:11:40 PDT
The 32-bit implementation does this, and it can cause crashes if we later repatch the code to allocate and store new Butterflies.
Attachments
Patch (3.56 KB, patch)
2014-04-14 18:15 PDT, Mark Hahnenberg 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2014-04-14 18:15:20 PDT
Created attachment 229331 [details] Patch
Mark Hahnenberg
Comment 2 2014-04-14 18:17:25 PDT
<rdar://problem/16513604>
Mark Lam
Comment 3 2014-04-14 18:35:34 PDT
Comment on attachment 229331 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=229331&action=review > Source/JavaScriptCore/ChangeLog:12 > + (JSC::JIT::emitWriteBarrier): We also weren't verify the base was a cell on 32-bit if /weren’t verify the/weren’t verifying that the/.
Filip Pizlo
Comment 4 2014-04-14 18:41:23 PDT
Comment on attachment 229331 [details] Patch R=me with MarkL's suggestion.
Mark Hahnenberg
Comment 5 2014-04-14 19:20:56 PDT
Committed r167288: <http://trac.webkit.org/changeset/167288>
Note You need to log in before you can comment on or make changes to this bug.