Changeset 174121 in webkit

Timestamp:

Sep 30, 2014 2:02:47 PM (10 years ago)

Author:

fpizlo@apple.com

Message:

REGRESSION (r174025): Invalid cast in JSC::asString
​https://bugs.webkit.org/show_bug.cgi?id=137224

Reviewed by Geoffrey Garen.

Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
when we speak of "the value being stored" we are really referring to the right value.

The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
child3. So we were incorrectly removing all barriers from PutClosureVar.

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-09-30  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION (r174025): Invalid cast in JSC::asString
+        https://bugs.webkit.org/show_bug.cgi?id=137224
+
+        Reviewed by Geoffrey Garen.
+        
+        Store barrier elision in fixup depends on checking the type of the value being stored. It's very important that
+        when we speak of "the value being stored" we are really referring to the right value.
+        
+        The bug here was that the PutClosureVar case was assuming that child2 is the value being stored. It's actually
+        child3. So we were incorrectly removing all barriers from PutClosureVar.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
 2014-09-30  Brian J. Burg  <burg@cs.washington.edu>
 

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -855 +855 @@
         case PutClosureVar: {
             fixEdge<KnownCellUse>(node->child1());
-            insertStoreBarrier(m_indexInBlock, node->child1(), node->child2());
+            insertStoreBarrier(m_indexInBlock, node->child1(), node->child3());
             break;
         }