RESOLVED FIXED Bug 115300
fourthTier: DFG tries to ref/deref StringImpls in a ton of places 
https://bugs.webkit.org/show_bug.cgi?id=115300
Summary fourthTier: DFG tries to ref/deref StringImpls in a ton of places
Filip Pizlo
Reported 2013-04-27 00:00:21 PDT
I will have to think about this. I suspect that most uses of StringImpls in the DFG are totally safe. But the ones that involve debug dumps probably aren't.
Attachments
work in progress (72.50 KB, patch)
2013-04-29 13:24 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
starting to run things (106.62 KB, patch)
2013-04-29 22:16 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (174.79 KB, patch)
2013-04-30 14:52 PDT, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-04-29 13:24:37 PDT
Created attachment 200041 [details] work in progress
Filip Pizlo
Comment 2 2013-04-29 22:16:37 PDT
Created attachment 200081 [details] starting to run things Still more work to do.
Filip Pizlo
Comment 3 2013-04-30 14:52:59 PDT
Created attachment 200151 [details] the patch
Geoffrey Garen
Comment 4 2013-04-30 15:03:24 PDT
Comment on attachment 200151 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=200151&action=review r=me > Source/JavaScriptCore/runtime/Identifier.h:251 > + typedef HashMap<StringImpl*, int, IdentifierRepHash, HashTraits<StringImpl*>, IdentifierMapIndexHashTraits> ConcurrentIdentifierMap; Maybe BorrowedIdentifierMap instead? I don't love "Concurrent" in the name because it might imply safety.
Filip Pizlo
Comment 5 2013-04-30 23:58:59 PDT
Looks like I need to fix Structure::addPropertyTransitionToExistingStructure(). I'll do that shortly, and commit this after that is fixed.
Filip Pizlo
Comment 6 2013-05-02 19:57:12 PDT
Landed in http://trac.webkit.org/changeset/149516
Note You need to log in before you can comment on or make changes to this bug.