Bug 64387 - DFG JIT put_by_id transition caching does not inform the GC about the structure and prototype chain that it is referencing
Summary: DFG JIT put_by_id transition caching does not inform the GC about the structu...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-12 13:46 PDT by Filip Pizlo
Modified: 2011-07-12 14:52 PDT (History)
1 user (show)

See Also:

Attachments
the patch (1.52 KB, patch)
2011-07-12 14:02 PDT, Filip Pizlo 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2011-07-12 13:46:27 PDT 
The DFG JIT, like the old JIT, may perform put_by_id transition caching.  In a transition cache, code is emitted that changes the structure of an object, so long as the object has a specific previous structure, and it has a specific prototype chain.  The code contains immediates referencing the old structure, the new structure, and the prototype chain.  Hence, the code is only correct if the GC keeps all of these objects (structures and prototypes) alive.  To do so, the DFG JIT must inform the GC that it has pinned those objects.  Currently, the DFG JIT does not do this, which results in spurious crashes on websites like gmail.com.
Comment 1 Filip Pizlo 2011-07-12 14:02:16 PDT 
Created attachment 100557 [details]
the patch
Comment 2 WebKit Review Bot 2011-07-12 14:52:05 PDT 
Comment on attachment 100557 [details]
the patch

Clearing flags on attachment: 100557

Committed r90854: <http://trac.webkit.org/changeset/90854>
Comment 3 WebKit Review Bot 2011-07-12 14:52:09 PDT 
All reviewed patches have been landed.  Closing bug.