- Put it in an isospace - Poison its outgoing pointers
Created attachment 333521 [details] work in progress
Created attachment 333562 [details] more
Created attachment 333564 [details] the patch
<rdar://problem/37429153>
Created attachment 333565 [details] the patch
Created attachment 333566 [details] the patch Fixed builds
Comment on attachment 333566 [details] the patch Attachment 333566 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/6450921 New failing tests: js/repeat-cached-vm-reentry.html
Created attachment 333568 [details] Archive of layout-test-results from ews112 for mac-sierra The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-sierra Platform: Mac OS X 10.12.6
earley 0.30123+-0.00176 ! 43.34337+-1.07163 ! definitely 143.8868x slower OOOOOPS
Created attachment 333632 [details] the patch Fixed a nasty bug in Repatch.
Comment on attachment 333632 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=333632&action=review r=me > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164 > + return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key()); Style: uintptr_t instead of size_t? > Source/JavaScriptCore/runtime/JSBoundFunction.h:44 > + template<typename CellType> Should we also poison JSBoundFunction's other fields? Or perhaps open a bug for that work?
(In reply to Saam Barati from comment #11) > Comment on attachment 333632 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=333632&action=review > > r=me > > > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:164 > > + return TrustedImmPtr(bitwise_cast<size_t>(cell) ^ Key::key()); > > Style: uintptr_t instead of size_t? > The other weakPointer function does size_t. > > Source/JavaScriptCore/runtime/JSBoundFunction.h:44 > > + template<typename CellType> > > Should we also poison JSBoundFunction's other fields? Or perhaps open a bug > for that work? Since those point to JSObject-like things, maybe we don't have to poison them.
Landed in http://trac.webkit.org/changeset/228420/webkit