[Webkit-unassigned] [Bug 68965] WebKit crashes in JSC when ENABLE_JIT is 0
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Oct 6 00:10:18 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68965
--- Comment #1 from eric.hennigan at gmail.com 2011-10-06 00:10:18 PST ---
I investigated the issue further.
The interpreter is performing an op_put_by_id
if (direct) {
baseValue.putDirect(callFrame, ident, callFrame->r(value).jsValue(), slot);
ASSERT(slot.base() == baseValue);
} else
It appears that JSObject::putDirectInternal actually performs the the put, but does not update the slot.base() because a specificFunction was available and
// This is a new property; transitions with specific values are not currently cachable,
// so leave the slot in an uncachable state.
if (!specificFunction) {
slot.setNewProperty(this, offset);
}
I'm not too familiar with JSC so my best conjecture is that new method, setUncachedProperty(...), should be added to the slot, so that the base and offset can be updated appropriately.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list