Changeset 156003 in webkit
- Timestamp:
- Sep 17, 2013 2:57:25 PM (11 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGByteCodeParser.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r155995 r156003 1 2013-09-17 Mark Hahnenberg <mhahnenberg@apple.com> 2 3 DFG doesn't properly keep scope alive for op_put_to_scope 4 https://bugs.webkit.org/show_bug.cgi?id=121519 5 6 Reviewed by Michael Saboff. 7 8 This was a latent bug that can't actually occur in ToT. It was uncovered by causing slow 9 path calls in the baseline JIT for op_put_to_scope in places where we couldn't before (but 10 which were necessary for gen GC). 11 12 * dfg/DFGByteCodeParser.cpp: 13 (JSC::DFG::ByteCodeParser::parseBlock): 14 1 15 2013-09-17 Filip Pizlo <fpizlo@apple.com> 2 16 -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r155729 r156003 3113 3113 Node* base = cellConstantWithStructureCheck(globalObject, status.oldStructure()); 3114 3114 handlePutByOffset(base, identifierNumber, static_cast<PropertyOffset>(operand), get(value)); 3115 // Keep scope alive until after put. 3116 addToGraph(Phantom, get(scope)); 3115 3117 break; 3116 3118 } … … 3120 3122 ASSERT(!entry.couldBeWatched() || !m_graph.watchpoints().isStillValid(entry.watchpointSet())); 3121 3123 addToGraph(PutGlobalVar, OpInfo(operand), get(value)); 3124 // Keep scope alive until after put. 3125 addToGraph(Phantom, get(scope)); 3122 3126 break; 3123 3127 }
Note: See TracChangeset
for help on using the changeset viewer.
