Global stringStructure caches its prototype chain, abandoning a web page
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 12 Oct 2011 19:51:46 +0000 (19:51 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 12 Oct 2011 19:51:46 +0000 (19:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=69952

Reviewed by Filip Pizlo.

When visiting a structure, we don't keep the prototype chain
alive if we're not the structure for an object type.

* runtime/Structure.cpp:
(JSC::Structure::visitChildren):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@97291 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/Structure.cpp

index 8a4c923..1c9af37 100644 (file)
@@ -1,3 +1,16 @@
+2011-10-12  Oliver Hunt  <oliver@apple.com>
+
+        Global stringStructure caches its prototype chain, abandoning a web page
+        https://bugs.webkit.org/show_bug.cgi?id=69952
+
+        Reviewed by Filip Pizlo.
+
+        When visiting a structure, we don't keep the prototype chain
+        alive if we're not the structure for an object type.
+
+        * runtime/Structure.cpp:
+        (JSC::Structure::visitChildren):
+
 2011-10-12  Yuqiang Xian  <yuqiang.xian@intel.com>
 
         DFG JIT 32_64 - Fix ArrayPop
index 60e7c40..479df56 100644 (file)
@@ -739,10 +739,14 @@ void Structure::visitChildren(JSCell* cell, SlotVisitor& visitor)
     JSCell::visitChildren(thisObject, visitor);
     if (thisObject->m_globalObject)
         visitor.append(&thisObject->m_globalObject);
-    if (thisObject->m_prototype)
-        visitor.append(&thisObject->m_prototype);
-    if (thisObject->m_cachedPrototypeChain)
-        visitor.append(&thisObject->m_cachedPrototypeChain);
+    if (!thisObject->isObject())
+        thisObject->m_cachedPrototypeChain.clear();
+    else {
+        if (thisObject->m_prototype)
+            visitor.append(&thisObject->m_prototype);
+        if (thisObject->m_cachedPrototypeChain)
+            visitor.append(&thisObject->m_cachedPrototypeChain);
+    }
     if (thisObject->m_previous)
         visitor.append(&thisObject->m_previous);
     if (thisObject->m_specificValueInPrevious)