GetIndexedPropertyStorage can GC.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 17 Oct 2018 04:16:24 +0000 (04:16 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 17 Oct 2018 04:16:24 +0000 (04:16 +0000)
https://bugs.webkit.org/show_bug.cgi?id=190625
<rdar://problem/45309366>

Reviewed by Saam Barati.

This is because if the ArrayMode type is String, the DFG and FTL will be emitting
a call to operationResolveRope, and operationResolveRope can GC.  This patch
updates doesGC() to reflect this.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237215 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGDoesGC.cpp

index 0e75b8b..1ce4c80 100644 (file)
@@ -1,3 +1,18 @@
+2018-10-16  Mark Lam  <mark.lam@apple.com>
+
+        GetIndexedPropertyStorage can GC.
+        https://bugs.webkit.org/show_bug.cgi?id=190625
+        <rdar://problem/45309366>
+
+        Reviewed by Saam Barati.
+
+        This is because if the ArrayMode type is String, the DFG and FTL will be emitting
+        a call to operationResolveRope, and operationResolveRope can GC.  This patch
+        updates doesGC() to reflect this.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
 2018-10-16  Fujii Hironori  <Hironori.Fujii@sony.com>
 
         Unreviewed, rolling out r237188, r237189, and r237197.
index 90fff25..5ad8bdd 100644 (file)
@@ -250,7 +250,6 @@ bool doesGC(Graph& graph, Node* node)
     case GetSetter:
     case GetByVal:
     case GetByValWithThis:
-    case GetIndexedPropertyStorage:
     case GetArrayLength:
     case GetVectorLength:
     case ArrayPush:
@@ -377,6 +376,11 @@ bool doesGC(Graph& graph, Node* node)
     case MapSet:
         return true;
 
+    case GetIndexedPropertyStorage:
+        if (node->arrayMode().type() == Array::String)
+            return true;
+        return false;
+
     case MapHash:
         switch (node->child1().useKind()) {
         case BooleanUse: