RESOLVED FIXED 26532
Native functions do not correctly unlink from optimised callsites when they're collected 
https://bugs.webkit.org/show_bug.cgi?id=26532
Summary Native functions do not correctly unlink from optimised callsites when they'r...
Oliver Hunt
Reported 2009-06-18 22:37:22 PDT
Native functions are not correctly unlinking from optimised callsites when they're collected, which may result in a crash if a new object is subsequently allocated at the same address, and is then called at the optimised call location.
Attachments
Fixeration (19.89 KB, patch)
2009-06-18 23:17 PDT, Oliver Hunt 		barraclough: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2009-06-18 23:17:55 PDT
Created attachment 31533 [details] Fixeration
Gavin Barraclough
Comment 2 2009-06-18 23:38:43 PDT
Comment on attachment 31533 [details] Fixeration Please to be adding ASSERTs to check code type enum is sizeof(int32_t), and add ASSERTSs to cti_op_call_JSFunction & the arity check to the function is not a host function. Also, in the ChangeLog you say 'Reviewed by NOBODY (OOPS!).', this should read 'Reviewed by Gavin "Viceroy of Venezuela" Barraclough.'. r+. G.
Oliver Hunt
Comment 3 2009-06-19 00:11:10 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/JavaScriptCore.exp M JavaScriptCore/bytecode/CodeBlock.cpp M JavaScriptCore/bytecode/CodeBlock.h M JavaScriptCore/jit/JIT.cpp M JavaScriptCore/jit/JITStubs.cpp M JavaScriptCore/parser/Nodes.cpp M JavaScriptCore/parser/Nodes.h M JavaScriptCore/runtime/JSFunction.cpp M JavaScriptCore/runtime/JSGlobalData.cpp M JavaScriptCore/runtime/JSGlobalData.h Committed r44844
David Levin
Comment 4 2009-06-19 01:02:24 PDT
Corresponding Windows build fix http://trac.webkit.org/changeset/44845.
Note You need to log in before you can comment on or make changes to this bug.