[webkit-changes] [WebKit/WebKit] 85e12f: [JSC] PolymorphicCallNode should unchain itself fi...
Yusuke Suzuki
noreply at github.com
Tue Nov 28 17:11:29 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 85e12f867e913e108b00ade4cd52b30b7a4334ed
https://github.com/WebKit/WebKit/commit/85e12f867e913e108b00ade4cd52b30b7a4334ed
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-11-28 (Tue, 28 Nov 2023)
Changed paths:
A LayoutTests/js/dom/call-link-info-recursion-expected.txt
A LayoutTests/js/dom/call-link-info-recursion.html
M Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
Log Message:
-----------
[JSC] PolymorphicCallNode should unchain itself first in unlink
https://bugs.webkit.org/show_bug.cgi?id=265475
rdar://118893186
Reviewed by Mark Lam.
PolymorphicCallNode::unlinkImpl calls m_callLinkInfo->unlink. But it is possible that this CallLinkInfo is
holding PolymorphicCallNode's owner stub and it may clear stub. Previously, we are always deferring this stub
destruction until JITStubRoutineSet destroys it. But now, it is possible that they get deleted immediately
when owner CodeBlock is dead. This means that after calling m_callLinkInfo->unlink, it is possible that PolymorphicCallNode |this|
is already destroyed.
This patch reorders unlink's operation in PolymorphicCallNode so that we first unlink it from linked-list.
This is OK since we are not expecting that this is in the linked-list in unlink calls. So after m_callLinkInfo->unlink,
we no longer touch anything in PolymorphicCallNode.
* Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallNode::unlinkImpl):
Canonical link: https://commits.webkit.org/271246@main
More information about the webkit-changes
mailing list