[Webkit-unassigned] [Bug 64387] New: DFG JIT put_by_id transition caching does not inform the GC about the structure and prototype chain that it is referencing

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=64387

           Summary: DFG JIT put_by_id transition caching does not inform
                    the GC about the structure and prototype chain that it
                    is referencing
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fpizlo at apple.com


The DFG JIT, like the old JIT, may perform put_by_id transition caching.  In a transition cache, code is emitted that changes the structure of an object, so long as the object has a specific previous structure, and it has a specific prototype chain.  The code contains immediates referencing the old structure, the new structure, and the prototype chain.  Hence, the code is only correct if the GC keeps all of these objects (structures and prototypes) alive.  To do so, the DFG JIT must inform the GC that it has pinned those objects.  Currently, the DFG JIT does not do this, which results in spurious crashes on websites like gmail.com.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.