Merge r185084 - Crash in com.apple.WebKit.WebContent at com.apple.Jav…

…aScriptCore: JSC::revertCall + 24 https://bugs.webkit.org/show_bug.cgi?id=145527 Reviewed by Filip Pizlo. If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it. Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo is going away. * bytecode/CallLinkInfo.h: (JSC::CallLinkInfo::~CallLinkInfo): * jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallNode::unlink): (JSC::PolymorphicCallNode::clearCallLinkInfo): (JSC::PolymorphicCallCase::dump): (JSC::PolymorphicCallStubRoutine::edges): (JSC::PolymorphicCallStubRoutine::clearCallNodesFor): (JSC::PolymorphicCallStubRoutine::visitWeak): * jit/PolymorphicCallStubRoutine.h: (JSC::PolymorphicCallNode::hasCallLinkInfo):
WebKit · Jul 6, 2015 · b83de36 · b83de36
1 parent 80d327a
commit b83de36
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 5 deletions.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,26 @@
+2015-06-01  Michael Saboff  <msaboff@apple.com>
+
+        Crash in com.apple.WebKit.WebContent at com.apple.JavaScriptCore: JSC::revertCall + 24
+        https://bugs.webkit.org/show_bug.cgi?id=145527
+
+        Reviewed by Filip Pizlo.
+
+        If a CallLinkInfo is GC'ed, we need to notify any PolymorphicCallNode's that reference it.
+        Added plumbling to clear the m_callLinkInfo of a PolymorphicCallNode when that CallLinkInfo
+        is going away.
+
+        * bytecode/CallLinkInfo.h:
+        (JSC::CallLinkInfo::~CallLinkInfo):
+        * jit/PolymorphicCallStubRoutine.cpp:
+        (JSC::PolymorphicCallNode::unlink):
+        (JSC::PolymorphicCallNode::clearCallLinkInfo):
+        (JSC::PolymorphicCallCase::dump):
+        (JSC::PolymorphicCallStubRoutine::edges):
+        (JSC::PolymorphicCallStubRoutine::clearCallNodesFor):
+        (JSC::PolymorphicCallStubRoutine::visitWeak):
+        * jit/PolymorphicCallStubRoutine.h:
+        (JSC::PolymorphicCallNode::hasCallLinkInfo):
+
 2015-05-19  Mark Lam  <mark.lam@apple.com>
 
         Fix the build of a universal binary with ARMv7k of JavaScriptCore.

diff --git a/Source/JavaScriptCore/bytecode/CallLinkInfo.h b/Source/JavaScriptCore/bytecode/CallLinkInfo.h
@@ -67,6 +67,9 @@ struct CallLinkInfo : public BasicRawSentinelNode<CallLinkInfo> {
 
     ~CallLinkInfo()
     {
+        if (stub)
+            stub->clearCallNodesFor(this);
+
         if (isOnList())
             remove();
     }

diff --git a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
@@ -43,15 +43,25 @@ PolymorphicCallNode::~PolymorphicCallNode()
 
 void PolymorphicCallNode::unlink(RepatchBuffer& repatchBuffer)
 {
-    if (Options::showDisassembly())
-        dataLog("Unlinking polymorphic call at ", m_callLinkInfo->callReturnLocation, ", ", m_callLinkInfo->codeOrigin, "\n");
-
-    m_callLinkInfo->unlink(repatchBuffer);
-
+    if (m_callLinkInfo) {
+        if (Options::showDisassembly())
+            dataLog("Unlinking polymorphic call at ", m_callLinkInfo->callReturnLocation, ", ", m_callLinkInfo->codeOrigin, "\n");
+
+        m_callLinkInfo->unlink(repatchBuffer);
+    }
+
     if (isOnList())
         remove();
 }
 
+void PolymorphicCallNode::clearCallLinkInfo()
+{
+    if (Options::showDisassembly())
+        dataLog("Clearing call link info for polymorphic call at ", m_callLinkInfo->callReturnLocation, ", ", m_callLinkInfo->codeOrigin, "\n");
+
+    m_callLinkInfo = nullptr;
+}
+
 void PolymorphicCallCase::dump(PrintStream& out) const
 {
     out.print("<variant = ", m_variant, ", codeBlock = ", pointerDump(m_codeBlock), ">");
@@ -97,6 +107,16 @@ CallEdgeList PolymorphicCallStubRoutine::edges() const
     return result;
 }
 
+void PolymorphicCallStubRoutine::clearCallNodesFor(CallLinkInfo* info)
+{
+    for (Bag<PolymorphicCallNode>::iterator iter = m_callNodes.begin(); !!iter; ++iter) {
+        PolymorphicCallNode& node = **iter;
+        // All nodes should point to info, but okay to be a little paranoid.
+        if (node.hasCallLinkInfo(info))
+            node.clearCallLinkInfo();
+    }
+}
+
 bool PolymorphicCallStubRoutine::visitWeak(RepatchBuffer&)
 {
     for (auto& variant : m_variants) {

diff --git a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.h b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.h
@@ -51,6 +51,9 @@ class PolymorphicCallNode : public BasicRawSentinelNode<PolymorphicCallNode> {
     ~PolymorphicCallNode();
 
     void unlink(RepatchBuffer&);
+
+    bool hasCallLinkInfo(CallLinkInfo* info) { return m_callLinkInfo == info; }
+    void clearCallLinkInfo();
 
 private:
     CallLinkInfo* m_callLinkInfo;
@@ -90,6 +93,8 @@ class PolymorphicCallStubRoutine : public GCAwareJITStubRoutine {
 
     CallVariantList variants() const;
     CallEdgeList edges() const;
+
+    void clearCallNodesFor(CallLinkInfo*);
 
     bool visitWeak(RepatchBuffer&) override;