[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.1.14-1-406-ga33802f
Gustavo Noronha Silva
kov at debian.org
Tue Sep 22 00:28:49 UTC 2009
The following commit has been merged in the debian/experimental branch:
commit b9d6d47dc639bfc8fb25497e2b69717e0ebfab7b
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Sep 21 18:59:56 2009 +0000
REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org
https://bugs.webkit.org/show_bug.cgi?id=29599
Reviewed by Geoff Garen
It is unsafe to attempt to cache new property transitions on
dictionaries of any type.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48590 268f45cc-cd09-0410-ab3c-d52691b4dbfc
filter-origin: ad72fbf795bde017168386e946bdf6146d13c42d
diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index 624832c..8a8fb3c 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -988,6 +988,10 @@ NEVER_INLINE void Interpreter::tryCachePutByID(CallFrame* callFrame, CodeBlock*
// Structure transition, cache transition info
if (slot.type() == PutPropertySlot::NewProperty) {
+ if (structure->isDictionary()) {
+ vPC[0] = getOpcode(op_put_by_id_generic);
+ return;
+ }
vPC[0] = getOpcode(op_put_by_id_transition);
vPC[4] = structure->previousID();
vPC[5] = structure;
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index f197526..055a536 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -695,7 +695,7 @@ NEVER_INLINE void JITThunks::tryCachePutByID(CallFrame* callFrame, CodeBlock* co
// Structure transition, cache transition info
if (slot.type() == PutPropertySlot::NewProperty) {
StructureChain* prototypeChain = structure->prototypeChain(callFrame);
- if (!prototypeChain->isCacheable()) {
+ if (!prototypeChain->isCacheable() || structure->isDictionary()) {
ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_put_by_id_generic));
return;
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list