[Title] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
[Issue#] N_SE-49504
[Problem] Crash after accessing property through cached property
[Solution] use structure rather than classinfo
[Cherry-Picker] Lee SangGyu <sg5.lee@samsung.com>
Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
https://bugs.webkit.org/show_bug.cgi?id=95821
Reviewed by Oliver Hunt.
We can replace the load of the ClassInfo from the object with a load from the Structure.
* dfg/DFGThunks.cpp:
(JSC::DFG::virtualForThunkGenerator):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127625
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
Change-Id: Ic649e638d5ef6bb57559423e24caeba9b0745a4c
* heap/MarkedBlock.h:
(JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state.
+2012-09-05 Mark Hahnenberg <mhahnenberg@apple.com>
+
+ Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
+ https://bugs.webkit.org/show_bug.cgi?id=95821
+
+ Reviewed by Oliver Hunt.
+
+ We can replace the load of the ClassInfo from the object with a load from the Structure.
+
+ * dfg/DFGThunks.cpp:
+ (JSC::DFG::virtualForThunkGenerator):
+
2013-03-11 Oliver Hunt <oliver@apple.com>
Make SegmentedVector Noncopyable
CCallHelpers::NotEqual, GPRInfo::nonArgGPR1,
CCallHelpers::TrustedImm32(JSValue::CellTag)));
#endif
+ jit.loadPtr(CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::structureOffset()), GPRInfo::nonArgGPR2);
slowCase.append(
jit.branchPtr(
CCallHelpers::NotEqual,
- CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::classInfoOffset()),
+ CCallHelpers::Address(GPRInfo::nonArgGPR2, Structure::classInfoOffset()),
CCallHelpers::TrustedImmPtr(&JSFunction::s_info)));
// Now we know we have a JSFunction.
projects / framework / web / webkit-efl.git / commitdiff