WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
64387
DFG JIT put_by_id transition caching does not inform the GC about the structure and prototype chain that it is referencing
https://bugs.webkit.org/show_bug.cgi?id=64387
Summary
DFG JIT put_by_id transition caching does not inform the GC about the structu...
Filip Pizlo
Reported
2011-07-12 13:46:27 PDT
The DFG JIT, like the old JIT, may perform put_by_id transition caching. In a transition cache, code is emitted that changes the structure of an object, so long as the object has a specific previous structure, and it has a specific prototype chain. The code contains immediates referencing the old structure, the new structure, and the prototype chain. Hence, the code is only correct if the GC keeps all of these objects (structures and prototypes) alive. To do so, the DFG JIT must inform the GC that it has pinned those objects. Currently, the DFG JIT does not do this, which results in spurious crashes on websites like gmail.com.
Attachments
the patch
(1.52 KB, patch)
2011-07-12 14:02 PDT
,
Filip Pizlo
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2011-07-12 14:02:16 PDT
Created
attachment 100557
[details]
the patch
WebKit Review Bot
Comment 2
2011-07-12 14:52:05 PDT
Comment on
attachment 100557
[details]
the patch Clearing flags on attachment: 100557 Committed
r90854
: <
http://trac.webkit.org/changeset/90854
>
WebKit Review Bot
Comment 3
2011-07-12 14:52:09 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug