Bug 162319

Summary: DFG::StoreBarrierInsertionPhase should assume that any epoch increment may make objects older
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, keith_miller, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 149432    
Attachments:
Description Flags
the patch saam: review+

Description Filip Pizlo 2016-09-20 14:24:40 PDT
If you just allocated an object, then it's true that the object must be white.  But as soon as you do anything to it, it will become black.  The insertion phase needs to be smart about this.
Comment 1 Filip Pizlo 2016-09-20 15:46:32 PDT
Created attachment 289406 [details]
the patch
Comment 2 Filip Pizlo 2016-09-20 15:59:47 PDT
Landed in http://trac.webkit.org/changeset/206183