[webkit-changes] [WebKit/WebKit] cab249: [JSC] Pass nullptr as a caller when upgrading Call...
Yusuke Suzuki
noreply at github.com
Fri Jan 26 14:35:36 PST 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cab24982ffccb88430d3848796e930bb63a47272
https://github.com/WebKit/WebKit/commit/cab24982ffccb88430d3848796e930bb63a47272
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-01-26 (Fri, 26 Jan 2024)
Changed paths:
M Source/JavaScriptCore/bytecode/CallLinkInfo.cpp
M Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
Log Message:
-----------
[JSC] Pass nullptr as a caller when upgrading CallLinkInfo
https://bugs.webkit.org/show_bug.cgi?id=268177
rdar://121270386
Reviewed by Mark Lam.
Since CodeBlock destruction can be incrementally done, it is possible the following case.
1. Relinking the incoming CallLinkInfo
2. But owner of CallLinkInfo is already considered dead (but not destructed yet. If the destructor runs, then CallLinkInfo is already unlinked, so no problem).
3. In that case, Structure* of the dead CodeBlock is already collected.
4. jsDynamicCast fails.
Because we are not running the destructor of the target CodeBlock yet, it is OK to touch fields if they are not JSCells. But anyway, we do not need to pass owner
when upgrading CallLinkInfo since noticeIncomingCall's condition does not change when upgrading / downgrading CodeBlocks. Thus, we already ran the same code
before when we initially link incoming CodeBlocks, so no need to rerun this again.
In this patch, when calling linkIncomingCall from unlinkOrUpgrade, we just pass nullptr.
* Source/JavaScriptCore/bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::unlinkOrUpgradeImpl):
* Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp:
(JSC::PolymorphicCallStubRoutine::upgradeIfPossible):
Canonical link: https://commits.webkit.org/273579@main
More information about the webkit-changes
mailing list