From: mhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed, 5 Sep 2012 19:07:35 +0000 (+0000)
Subject: [CherryPick] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
X-Git-Tag: 2.2.1_release~281
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=42a9f1a2a26164329de7580744b57327dff7dc31;p=framework%2Fweb%2Fwebkit-efl.git

[CherryPick] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator

[Title] Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
[Issue#] N_SE-49504
[Problem] Crash after accessing property through cached property
[Solution] use structure rather than classinfo
[Cherry-Picker] Lee SangGyu <sg5.lee@samsung.com>

Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
https://bugs.webkit.org/show_bug.cgi?id=95821

Reviewed by Oliver Hunt.

We can replace the load of the ClassInfo from the object with a load from the Structure.

* dfg/DFGThunks.cpp:
(JSC::DFG::virtualForThunkGenerator):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127625 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: Ic649e638d5ef6bb57559423e24caeba9b0745a4c
---

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 281c4da..17760ec 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -15,6 +15,18 @@
         * heap/MarkedBlock.h:
         (JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state.
 
+2012-09-05  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Remove use of JSCell::classInfoOffset() from virtualForThunkGenerator
+        https://bugs.webkit.org/show_bug.cgi?id=95821
+
+        Reviewed by Oliver Hunt.
+
+        We can replace the load of the ClassInfo from the object with a load from the Structure.
+
+        * dfg/DFGThunks.cpp:
+        (JSC::DFG::virtualForThunkGenerator):
+
 2013-03-11  Oliver Hunt  <oliver@apple.com>
 
         Make SegmentedVector Noncopyable
diff --git a/Source/JavaScriptCore/dfg/DFGThunks.cpp b/Source/JavaScriptCore/dfg/DFGThunks.cpp
index b056de7..546aec2 100644
--- a/Source/JavaScriptCore/dfg/DFGThunks.cpp
+++ b/Source/JavaScriptCore/dfg/DFGThunks.cpp
@@ -219,10 +219,11 @@ static MacroAssemblerCodeRef virtualForThunkGenerator(
             CCallHelpers::NotEqual, GPRInfo::nonArgGPR1,
             CCallHelpers::TrustedImm32(JSValue::CellTag)));
 #endif
+    jit.loadPtr(CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::structureOffset()), GPRInfo::nonArgGPR2);
     slowCase.append(
         jit.branchPtr(
             CCallHelpers::NotEqual,
-            CCallHelpers::Address(GPRInfo::nonArgGPR0, JSCell::classInfoOffset()),
+            CCallHelpers::Address(GPRInfo::nonArgGPR2, Structure::classInfoOffset()),
             CCallHelpers::TrustedImmPtr(&JSFunction::s_info)));
     
     // Now we know we have a JSFunction.