72313 – DFG's inline references to objects should be tracked

Bug 72313 - DFG's inline references to objects should be tracked

Summary: DFG's inline references to objects should be tracked

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	72312
	Show dependency tree / graph

Reported:	2011-11-14 14:30 PST by Filip Pizlo
Modified:	2011-11-14 17:23 PST (History)
CC List:	0 users

See Also:

Attachments
the patch (6.96 KB, patch) 2011-11-14 14:37 PST, Filip Pizlo	fpizlo: review-	Details \| Formatted Diff \| Diff
the patch (6.47 KB, patch) 2011-11-14 16:02 PST, Filip Pizlo	barraclough: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-11-14 14:30:54 PST

The DFG may emit code that refers to objects in the heap.  This is only safe because those same objects would be referenced from inline caches maintained by the old JIT, which only works because the old JIT will never clear inline caches.

Comment 1 Filip Pizlo 2011-11-14 14:37:35 PST

Created attachment 115033 [details]
the patch

Comment 2 Filip Pizlo 2011-11-14 14:44:42 PST

Comment on attachment 115033 [details]
the patch

r=oliver

Comment 3 Filip Pizlo 2011-11-14 16:02:04 PST

Comment on attachment 115033 [details]
the patch

This is broken.

Comment 4 Filip Pizlo 2011-11-14 16:02:38 PST

Created attachment 115051 [details]
the patch

Comment 5 Filip Pizlo 2011-11-14 17:23:19 PST

Landed in http://trac.webkit.org/changeset/100221