Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[JSC] Pass nullptr as a caller when upgrading CallLinkInfo
https://bugs.webkit.org/show_bug.cgi?id=268177 rdar://121270386 Reviewed by Mark Lam. Since CodeBlock destruction can be incrementally done, it is possible the following case. 1. Relinking the incoming CallLinkInfo 2. But owner of CallLinkInfo is already considered dead (but not destructed yet. If the destructor runs, then CallLinkInfo is already unlinked, so no problem). 3. In that case, Structure* of the dead CodeBlock is already collected. 4. jsDynamicCast fails. Because we are not running the destructor of the target CodeBlock yet, it is OK to touch fields if they are not JSCells. But anyway, we do not need to pass owner when upgrading CallLinkInfo since noticeIncomingCall's condition does not change when upgrading / downgrading CodeBlocks. Thus, we already ran the same code before when we initially link incoming CodeBlocks, so no need to rerun this again. In this patch, when calling linkIncomingCall from unlinkOrUpgrade, we just pass nullptr. * Source/JavaScriptCore/bytecode/CallLinkInfo.cpp: (JSC::CallLinkInfo::unlinkOrUpgradeImpl): * Source/JavaScriptCore/jit/PolymorphicCallStubRoutine.cpp: (JSC::PolymorphicCallStubRoutine::upgradeIfPossible): Canonical link: https://commits.webkit.org/273579@main
- Loading branch information