-
https://webkit.org/b/119919mhahnenberg@apple.com authored
<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML Reviewed by Filip Pizlo. Added a new mode for DesiredWriteBarrier that allows it to track a position in a Vector of WriteBarriers rather than the specific address. The fact that we were arbitrarily storing into a Vector's backing store for constants at the end of compilation after the Vector could have resized was causing crashes. * bytecode/CodeBlock.h: (JSC::CodeBlock::constants): (JSC::CodeBlock::addConstantLazily): * dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::addConstant): * dfg/DFGDesiredWriteBarriers.cpp: (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier): (JSC::DFG::DesiredWriteBarrier::trigger): (JSC::DFG::initializeLazyWriteBarrierForConstant): * dfg/DFGDesiredWriteBarriers.h: (JSC::DFG::DesiredWriteBarriers::add): * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::truncateConstantToInt32): * dfg/DFGGraph.h: (JSC::DFG::Graph::constantRegisterForConstant): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154245 268f45cc-cd09-0410-ab3c-d52691b4dbfc
fd433bf9