Summary: | Lock down JSFunction | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||||||||||||||
Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||||||
Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer | ||||||||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||||||||
Version: | WebKit Nightly Build | ||||||||||||||||||
Hardware: | All | ||||||||||||||||||
OS: | All | ||||||||||||||||||
Attachments: |
|
Description
Filip Pizlo
2018-02-09 14:59:27 PST
Created attachment 333521 [details]
work in progress
Created attachment 333562 [details]
more
Created attachment 333564 [details]
the patch
Created attachment 333565 [details]
the patch
Created attachment 333566 [details]
the patch
Fixed builds
Comment on attachment 333566 [details] the patch Attachment 333566 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/6450921 New failing tests: js/repeat-cached-vm-reentry.html Created attachment 333568 [details]
Archive of layout-test-results from ews112 for mac-sierra
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112 Port: mac-sierra Platform: Mac OS X 10.12.6
earley 0.30123+-0.00176 ! 43.34337+-1.07163 ! definitely 143.8868x slower OOOOOPS Created attachment 333632 [details]
the patch
Fixed a nasty bug in Repatch.
Comment on attachment 333632 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=333632&action=review r=me > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164 > + return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key()); Style: uintptr_t instead of size_t? > Source/JavaScriptCore/runtime/JSBoundFunction.h:44 > + template<typename CellType> Should we also poison JSBoundFunction's other fields? Or perhaps open a bug for that work? (In reply to Saam Barati from comment #11) > Comment on attachment 333632 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333632&action=review > > r=me > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164 > > + return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key()); > > Style: uintptr_t instead of size_t? > The other weakPointer function does size_t. > > Source/JavaScriptCore/runtime/JSBoundFunction.h:44 > > + template<typename CellType> > > Should we also poison JSBoundFunction's other fields? Or perhaps open a bug > for that work? Since those point to JSObject-like things, maybe we don't have to poison them. |