[JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Mar 2016 05:29:16 +0000 (05:29 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 3 Mar 2016 05:29:16 +0000 (05:29 +0000)
commitcd6fdd685dc73066f8c0b46262de45e4244107cd
treee41dcef27c2ecfc88eb257572d1747b8c4a3ba18
parent2bd7a6a53828509b31d2bf2683ef0a49d9b04702
[JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
https://bugs.webkit.org/show_bug.cgi?id=154947

Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-03-02
Reviewed by Filip Pizlo.

This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.

The problem was that JSCell_freeListNext and JSCell_structureID were
considered as disjoint. When reordering instructions, the scheduler
could move the write of the StructureID first to reduce dependencies.
This would erase half of JSCell_freeListNext before we get a chance
to load the value.

This patch changes the hierarchy to make sure nothing is written
until JSCell_freeListNext is processed.

All credits for this patch go to Filip.

* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
* ftl/FTLAbstractHeapRepository.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@197491 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp
Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h