[JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 7 Apr 2019 19:25:59 +0000 (19:25 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 7 Apr 2019 19:25:59 +0000 (19:25 +0000)
commita5d001c46e100237ba49b6d03e3faf7c06198c4f
tree46f8c610bc65bf947074047910a78243c2542cce
parent4eee394fe4ff876cb665370bde49d99643aa5037
[JSC] CallLinkInfo should clear Callee or CodeBlock even if it is unlinked by jettison
https://bugs.webkit.org/show_bug.cgi?id=196683

Reviewed by Saam Barati.

JSTests:

* stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js: Added.
(foo):

Source/JavaScriptCore:

In r243626, we stop repatching CallLinkInfo when the CallLinkInfo is held by jettisoned CodeBlock.
But we still need to clear the Callee or CodeBlock since they are now dead. Otherwise, CodeBlock's
visitWeak eventually accesses this dead cells and crashes because the owner CodeBlock of CallLinkInfo
can be still live.

We also move all repatching operations from CallLinkInfo.cpp to Repatch.cpp for consistency because the
other repatching operations in CallLinkInfo are implemented in Repatch.cpp side.

* bytecode/CallLinkInfo.cpp:
(JSC::CallLinkInfo::setCallee):
(JSC::CallLinkInfo::clearCallee):
* jit/Repatch.cpp:
(JSC::linkFor):
(JSC::revertCall):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243966 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/clear-callee-or-codeblock-in-calllinkinfo-even-cleared-by-jettison.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CallLinkInfo.cpp
Source/JavaScriptCore/jit/Repatch.cpp