Bug 204876

Summary: [JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch saam: review+

Yusuke Suzuki
Reported 2019-12-05 00:03:58 PST
[JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine
Attachments
Patch (13.71 KB, patch)
2019-12-05 00:04 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (16.01 KB, patch)
2019-12-06 13:35 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (16.43 KB, patch)
2019-12-10 16:59 PST, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-12-05 00:04:23 PST
Created attachment 384882 [details] Patch
Yusuke Suzuki
Comment 2 2019-12-05 00:08:29 PST
<rdar://problem/57078559>
Yusuke Suzuki
Comment 3 2019-12-06 13:35:27 PST
Created attachment 385037 [details] Patch
Yusuke Suzuki
Comment 4 2019-12-10 16:59:16 PST
Created attachment 385320 [details] Patch
Saam Barati
Comment 5 2019-12-10 17:24:14 PST
Comment on attachment 385320 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385320&action=review > Source/JavaScriptCore/ChangeLog:10 > + so long as it is live in the stack (which means we are executing this code right now), but GetterSetterAccesssCase itself can you should say how, since this isn't intuitive. E.g, GetterSetterAccessCase might be destroyed when the StructureStubInfo is reset. > Source/JavaScriptCore/bytecode/GetterSetterAccessCase.h:42 > + // CallLinkInfo's ownership is held by generated code. is held by generated code => is held both by generated code via GCAwareJITStubRoutine and PolymorphicAccess. Maybe also explain that PolymorphicAccess can be destroyed before the CallLinkInfo is destroyed, since the GCAwareJITStubRoutine owns the CallLinkInfo
Yusuke Suzuki
Comment 6 2019-12-10 22:06:06 PST
Comment on attachment 385320 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385320&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:10 >> + so long as it is live in the stack (which means we are executing this code right now), but GetterSetterAccesssCase itself can > > you should say how, since this isn't intuitive. E.g, GetterSetterAccessCase might be destroyed when the StructureStubInfo is reset. Fixed. >> Source/JavaScriptCore/bytecode/GetterSetterAccessCase.h:42 >> + // CallLinkInfo's ownership is held by generated code. > > is held by generated code => is held both by generated code via GCAwareJITStubRoutine and PolymorphicAccess. > > Maybe also explain that PolymorphicAccess can be destroyed before the CallLinkInfo is destroyed, since the GCAwareJITStubRoutine owns the CallLinkInfo Fixed.
Yusuke Suzuki
Comment 7 2019-12-10 22:06:31 PST
Committed r253361: <https://trac.webkit.org/changeset/253361>
Note You need to log in before you can comment on or make changes to this bug.