[SCM] WebKit Debian packaging branch, debian/experimental, updated. debian/1.1.14-1-406-ga33802f

Gustavo Noronha Silva kov at debian.org
Tue Sep 22 00:28:49 UTC 2009 

The following commit has been merged in the debian/experimental branch:
commit b9d6d47dc639bfc8fb25497e2b69717e0ebfab7b
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Mon Sep 21 18:59:56 2009 +0000

    REGRESSION (r48582): Crash in StructureStubInfo::initPutByIdTransition when reloading trac.webkit.org
    https://bugs.webkit.org/show_bug.cgi?id=29599
    
    Reviewed by Geoff Garen
    
    It is unsafe to attempt to cache new property transitions on
    dictionaries of any type.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48590 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    filter-origin: ad72fbf795bde017168386e946bdf6146d13c42d

diff --git a/JavaScriptCore/interpreter/Interpreter.cpp b/JavaScriptCore/interpreter/Interpreter.cpp
index 624832c..8a8fb3c 100644
--- a/JavaScriptCore/interpreter/Interpreter.cpp
+++ b/JavaScriptCore/interpreter/Interpreter.cpp
@@ -988,6 +988,10 @@ NEVER_INLINE void Interpreter::tryCachePutByID(CallFrame* callFrame, CodeBlock*
 
     // Structure transition, cache transition info
     if (slot.type() == PutPropertySlot::NewProperty) {
+        if (structure->isDictionary()) {
+            vPC[0] = getOpcode(op_put_by_id_generic);
+            return;
+        }
         vPC[0] = getOpcode(op_put_by_id_transition);
         vPC[4] = structure->previousID();
         vPC[5] = structure;
diff --git a/JavaScriptCore/jit/JITStubs.cpp b/JavaScriptCore/jit/JITStubs.cpp
index f197526..055a536 100644
--- a/JavaScriptCore/jit/JITStubs.cpp
+++ b/JavaScriptCore/jit/JITStubs.cpp
@@ -695,7 +695,7 @@ NEVER_INLINE void JITThunks::tryCachePutByID(CallFrame* callFrame, CodeBlock* co
     // Structure transition, cache transition info
     if (slot.type() == PutPropertySlot::NewProperty) {
         StructureChain* prototypeChain = structure->prototypeChain(callFrame);
-        if (!prototypeChain->isCacheable()) {
+        if (!prototypeChain->isCacheable() || structure->isDictionary()) {
             ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_put_by_id_generic));
             return;
         }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list