Skip to content
Permalink
Browse files

GetIndexedPropertyStorage can GC.

https://bugs.webkit.org/show_bug.cgi?id=190625
<rdar://problem/45309366>

Reviewed by Saam Barati.

This is because if the ArrayMode type is String, the DFG and FTL will be emitting
a call to operationResolveRope, and operationResolveRope can GC.  This patch
updates doesGC() to reflect this.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@237215 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information...
mark.lam@apple.com
mark.lam@apple.com committed Oct 17, 2018
1 parent 3998cf2 commit 1f1683cea15c2af14710b4b73f89b55004618295
Showing with 20 additions and 1 deletion.
  1. +15 −0 Source/JavaScriptCore/ChangeLog
  2. +5 −1 Source/JavaScriptCore/dfg/DFGDoesGC.cpp
@@ -1,3 +1,18 @@
2018-10-16 Mark Lam <mark.lam@apple.com>

GetIndexedPropertyStorage can GC.
https://bugs.webkit.org/show_bug.cgi?id=190625
<rdar://problem/45309366>

Reviewed by Saam Barati.

This is because if the ArrayMode type is String, the DFG and FTL will be emitting
a call to operationResolveRope, and operationResolveRope can GC. This patch
updates doesGC() to reflect this.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

2018-10-16 Fujii Hironori <Hironori.Fujii@sony.com>

Unreviewed, rolling out r237188, r237189, and r237197.
@@ -250,7 +250,6 @@ bool doesGC(Graph& graph, Node* node)
case GetSetter:
case GetByVal:
case GetByValWithThis:
case GetIndexedPropertyStorage:
case GetArrayLength:
case GetVectorLength:
case ArrayPush:
@@ -377,6 +376,11 @@ bool doesGC(Graph& graph, Node* node)
case MapSet:
return true;

case GetIndexedPropertyStorage:
if (node->arrayMode().type() == Array::String)
return true;
return false;

case MapHash:
switch (node->child1().useKind()) {
case BooleanUse:

0 comments on commit 1f1683c

Please sign in to comment.
You can’t perform that action at this time.