204876 – [JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine

RESOLVED FIXED204876

[JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine

https://bugs.webkit.org/show_bug.cgi?id=204876

Summary [JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by G...

Yusuke Suzuki

Reported 2019-12-05 00:03:58 PST

[JSC] Adhocly created CallLinkInfo in GetterSetterAccess should be owned by GCAwareJITStubRoutine

Attachments
Patch (13.71 KB, patch) 2019-12-05 00:04 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (16.01 KB, patch) 2019-12-06 13:35 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (16.43 KB, patch) 2019-12-10 16:59 PST, Yusuke Suzuki	saam: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2019-12-05 00:04:23 PST

Created attachment 384882 [details] Patch

Yusuke Suzuki

Comment 2 2019-12-05 00:08:29 PST

<rdar://problem/57078559>

Yusuke Suzuki

Comment 3 2019-12-06 13:35:27 PST

Created attachment 385037 [details] Patch

Yusuke Suzuki

Comment 4 2019-12-10 16:59:16 PST

Created attachment 385320 [details] Patch

Saam Barati

Comment 5 2019-12-10 17:24:14 PST

Comment on attachment 385320 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385320&action=review > Source/JavaScriptCore/ChangeLog:10 > + so long as it is live in the stack (which means we are executing this code right now), but GetterSetterAccesssCase itself can you should say how, since this isn't intuitive. E.g, GetterSetterAccessCase might be destroyed when the StructureStubInfo is reset. > Source/JavaScriptCore/bytecode/GetterSetterAccessCase.h:42 > + // CallLinkInfo's ownership is held by generated code. is held by generated code => is held both by generated code via GCAwareJITStubRoutine and PolymorphicAccess. Maybe also explain that PolymorphicAccess can be destroyed before the CallLinkInfo is destroyed, since the GCAwareJITStubRoutine owns the CallLinkInfo

Yusuke Suzuki

Comment 6 2019-12-10 22:06:06 PST

Comment on attachment 385320 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=385320&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:10 >> + so long as it is live in the stack (which means we are executing this code right now), but GetterSetterAccesssCase itself can > > you should say how, since this isn't intuitive. E.g, GetterSetterAccessCase might be destroyed when the StructureStubInfo is reset. Fixed. >> Source/JavaScriptCore/bytecode/GetterSetterAccessCase.h:42 >> + // CallLinkInfo's ownership is held by generated code. > > is held by generated code => is held both by generated code via GCAwareJITStubRoutine and PolymorphicAccess. > > Maybe also explain that PolymorphicAccess can be destroyed before the CallLinkInfo is destroyed, since the GCAwareJITStubRoutine owns the CallLinkInfo Fixed.

Yusuke Suzuki

Comment 7 2019-12-10 22:06:31 PST

Committed r253361: <https://trac.webkit.org/changeset/253361>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Yusuke Suzuki

Reported

2019-12-05 00:03 PST

Modified

2019-12-10 22:06 PST History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks