Bug 131654

Summary: emit_op_put_by_id should not emit a write barrier that filters on value
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch fpizlo: review+

Description Mark Hahnenberg 2014-04-14 18:11:40 PDT 
The 32-bit implementation does this, and it can cause crashes if we later repatch the code to allocate and store new Butterflies.
Comment 1 Mark Hahnenberg 2014-04-14 18:15:20 PDT 
Created attachment 229331 [details]
Patch
Comment 2 Mark Hahnenberg 2014-04-14 18:17:25 PDT 
<rdar://problem/16513604>
Comment 3 Mark Lam 2014-04-14 18:35:34 PDT 
Comment on attachment 229331 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=229331&action=review

> Source/JavaScriptCore/ChangeLog:12
> +        (JSC::JIT::emitWriteBarrier): We also weren't verify the base was a cell on 32-bit if 

/weren’t verify the/weren’t verifying that the/.
Comment 4 Filip Pizlo 2014-04-14 18:41:23 PDT 
Comment on attachment 229331 [details]
Patch

R=me with MarkL's suggestion.
Comment 5 Mark Hahnenberg 2014-04-14 19:20:56 PDT 
Committed r167288: <http://trac.webkit.org/changeset/167288>