Unreviewed, rolling back in r190450
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Oct 2015 21:16:20 +0000 (21:16 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 2 Oct 2015 21:16:20 +0000 (21:16 +0000)
commit038d83d45065a399144546ac11715e1af5003ee6
tree6f27cbc9d61ce34353b9a82d388c5728123b6a9f
parent3b169870ecf8a1be1eb1cb26e06b7a32fc678123
Unreviewed, rolling back in r190450
https://bugs.webkit.org/show_bug.cgi?id=149727

The cause of the crash was a CodeBlock, after surviving a call to
deleteAllCode by virtue of being in the remembered set, trying to mark
its inlined CodeBlocks via pointers from its inlined executables.
Since deleteAllCode clears those pointers, the CodeBlock would ASSERT.
(Any other choice to retain a CodeBlock after deleteAllCode -- for
example, conservative marking -- could trigger the same bug.)

The fix is for InlineCallFrame to point directly to its inlined CodeBlock
instead of pointing indirectly via an executable. This guarantees that
CodeBlocks are GC safe regardless of whether we've called deleteAllCode.

Restored changesets:

"CodeBlock should be a GC object"
https://bugs.webkit.org/show_bug.cgi?id=149727
http://trac.webkit.org/changeset/190450

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@190522 268f45cc-cd09-0410-ab3c-d52691b4dbfc
56 files changed:
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CodeBlock.cpp
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/bytecode/CodeOrigin.cpp
Source/JavaScriptCore/bytecode/CodeOrigin.h
Source/JavaScriptCore/bytecode/DeferredCompilationCallback.cpp
Source/JavaScriptCore/bytecode/DeferredCompilationCallback.h
Source/JavaScriptCore/bytecode/EvalCodeCache.h
Source/JavaScriptCore/bytecode/InlineCallFrame.cpp
Source/JavaScriptCore/bytecode/InlineCallFrame.h
Source/JavaScriptCore/bytecode/PolymorphicAccess.cpp
Source/JavaScriptCore/bytecode/StructureStubInfo.cpp
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGCommonData.cpp
Source/JavaScriptCore/dfg/DFGDesiredTransitions.cpp
Source/JavaScriptCore/dfg/DFGDesiredTransitions.h
Source/JavaScriptCore/dfg/DFGDesiredWeakReferences.cpp
Source/JavaScriptCore/dfg/DFGDriver.cpp
Source/JavaScriptCore/dfg/DFGGraph.cpp
Source/JavaScriptCore/dfg/DFGGraph.h
Source/JavaScriptCore/dfg/DFGJITCode.h
Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp
Source/JavaScriptCore/dfg/DFGOSRExitCompilerCommon.cpp
Source/JavaScriptCore/dfg/DFGOSRExitPreparation.cpp
Source/JavaScriptCore/dfg/DFGOperations.cpp
Source/JavaScriptCore/dfg/DFGPlan.cpp
Source/JavaScriptCore/dfg/DFGPlan.h
Source/JavaScriptCore/dfg/DFGToFTLDeferredCompilationCallback.cpp
Source/JavaScriptCore/dfg/DFGToFTLDeferredCompilationCallback.h
Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.cpp
Source/JavaScriptCore/dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h
Source/JavaScriptCore/dfg/DFGWorklist.cpp
Source/JavaScriptCore/dfg/DFGWorklist.h
Source/JavaScriptCore/ftl/FTLJITFinalizer.cpp
Source/JavaScriptCore/heap/CodeBlockSet.cpp
Source/JavaScriptCore/heap/CodeBlockSet.h
Source/JavaScriptCore/heap/Heap.cpp
Source/JavaScriptCore/interpreter/Interpreter.cpp
Source/JavaScriptCore/interpreter/StackVisitor.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.h
Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h
Source/JavaScriptCore/jit/JITCode.h
Source/JavaScriptCore/jit/JITOpcodes.cpp
Source/JavaScriptCore/jit/JITOperations.cpp
Source/JavaScriptCore/jit/JITToDFGDeferredCompilationCallback.cpp
Source/JavaScriptCore/jit/JITToDFGDeferredCompilationCallback.h
Source/JavaScriptCore/jit/Repatch.cpp
Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
Source/JavaScriptCore/profiler/ProfilerOriginStack.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
Source/JavaScriptCore/runtime/CommonSlowPaths.h
Source/JavaScriptCore/runtime/Executable.cpp
Source/JavaScriptCore/runtime/Executable.h
Source/JavaScriptCore/runtime/VM.cpp
Source/JavaScriptCore/runtime/VM.h