[JSC] Pass nullptr as a caller when upgrading CallLinkInfo

https://bugs.webkit.org/show_bug.cgi?id=268177 rdar://121270386 Reviewed by Mark Lam. Since CodeBlock destruction can be incrementally done, it is possible the following case. 1. Relinking the incoming CallLinkInfo 2. But owner of CallLinkInfo is already considered dead (but not destructed yet. If the destructor runs, then CallLinkInfo is already unlinked, so no problem). 3. In that case, Structure* of the dead CodeBlock is already collected. 4. jsDynamicCast fails. Because we are not running the destructor of the target CodeBlock yet, it is OK to touch fields if they are not JSCells. But anyway, we do not need to pass owner when upgrading CallLinkInfo since noticeIncomingCall's condition does not change when upgrading / downgrading CodeBlocks. Thus, we already ran the same code before when we initially link incoming CodeBlocks, so no need to rerun this again. In this patch, when calling linkIncomingCall from unlinkOrUpgrade, we just pass nullptr. * Source/JavaScriptCore/bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::unlinkOrUpgradeImpl): * Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallStubRoutine::upgradeIfPossible): Canonical link: https://commits.webkit.org/273579@main
WebKit · Jan 26, 2024 · cab2498 · cab2498
1 parent 9ae7166
commit cab2498
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp b/Source/JavaScriptCore/bytecode/CallLinkInfo.cpp
@@ -104,7 +104,7 @@ void CallLinkInfo::unlinkOrUpgradeImpl(VM& vm, CodeBlock* oldCodeBlock, CodeBloc
             auto target = newCodeBlock->jitCode()->addressForCall(arityCheck);
             u.dataIC.m_codeBlock = newCodeBlock;
             u.dataIC.m_monomorphicCallDestination = target;
-            newCodeBlock->linkIncomingCall(owner(), this); // This is just relinking. So owner and caller frame can be nullptr.
+            newCodeBlock->linkIncomingCall(nullptr, this); // This is just relinking. So owner and caller frame can be nullptr.
             return;
         }
         dataLogLnIf(Options::dumpDisassembly(), "Unlinking CallLinkInfo: ", RawPointer(this));

diff --git a/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp b/Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp
@@ -119,7 +119,7 @@ bool PolymorphicCallStubRoutine::upgradeIfPossible(VM&, CodeBlock* oldCodeBlock,
     auto target = newCodeBlock->jitCode()->addressForCall(slot.m_arityCheckMode);
     slot.m_codeBlock = newCodeBlock;
     slot.m_target = target;
-    newCodeBlock->linkIncomingCall(m_callLinkInfo->owner(), &callNode); // This is just relinking. So owner and caller frame can be nullptr.
+    newCodeBlock->linkIncomingCall(nullptr, &callNode); // This is just relinking. So owner and caller frame can be nullptr.
     return true;
 }