[Webkit-unassigned] [Bug 144176] New: Function allocation sinking works for wrong reasons

Fri Apr 24 17:42:52 PDT 2015

https://bugs.webkit.org/show_bug.cgi?id=144176

            Bug ID: 144176
           Summary: Function allocation sinking works for wrong reasons
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: basile_clement at apple.com

It is by design that we don't support sinking of function allocation through any related operations.
Object allocation, however, does sink through field assignment (PutByOffset etc.), so we have a check that is supposed to prevent function allocations from sinking through these.

However that check is misguided and (a) do not prevent function allocation sinking through field assignment and (b) ensures that if a function allocation ever sinks through a PutByOffset, very bad things happen instead.
Fortunately, PutByOffset (and their relatives) require first allocating a custom structure for the JSFunction object, thus the PutByOffset will always be preceded by an AllocatePropertyStorage through which no allocation can sink, and materialization would always be triggered before the PutByOffset - so this works by chance.

Anyway, this should be done the proper way, and I will submit a patch soon to prevent properly have checks preventing function allocation sinking through PutByOffset et al.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150425/bcf5881c/attachment.html>