We currently perform the load of the storage array prior to the structure checks. This is expected to be safe since the value loaded is not used unless the structure checks do all pass. However if the prototype object has changed, and if there are no further references to the original prototype object OR to any other objects within the same heap block, then the heap block may be freed, and the memory may be unmapped. In the unlikely* event this should happen, the access will result in a fault. This can be fixed by simply not hoisting the memory access. This is not expected to impact performance significantly. Whilst hoisting the load may have helped in some cases, it will also have resulted in an unnecessary and unused memory access being performed at other times. [ * Ummm..... ]
Created attachment 29812 [details] The patch
Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/jit/JITPropertyAccess.cpp Transmitting file data .. Committed revision 42884.