Title: [230264] trunk/Source/_javascript_Core
- Revision
- 230264
- Author
- fpi...@apple.com
- Date
- 2018-04-04 10:42:11 -0700 (Wed, 04 Apr 2018)
Log Message
JSArray::appendMemcpy seems to be missing a barrier
https://bugs.webkit.org/show_bug.cgi?id=184290
Reviewed by Mark Lam.
If you write to an array that may contain pointers and you didn't just allocate it, then you need to
barrier right after.
I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (230263 => 230264)
--- trunk/Source/_javascript_Core/ChangeLog 2018-04-04 17:41:29 UTC (rev 230263)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-04-04 17:42:11 UTC (rev 230264)
@@ -1,5 +1,21 @@
2018-04-03 Filip Pizlo <fpi...@apple.com>
+ JSArray::appendMemcpy seems to be missing a barrier
+ https://bugs.webkit.org/show_bug.cgi?id=184290
+
+ Reviewed by Mark Lam.
+
+ If you write to an array that may contain pointers and you didn't just allocate it, then you need to
+ barrier right after.
+
+ I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
+ obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::appendMemcpy):
+
+2018-04-03 Filip Pizlo <fpi...@apple.com>
+
GC shouldn't do object distancing
https://bugs.webkit.org/show_bug.cgi?id=184195
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (230263 => 230264)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-04-04 17:41:29 UTC (rev 230263)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2018-04-04 17:42:11 UTC (rev 230264)
@@ -554,8 +554,10 @@
}
} else if (type == ArrayWithDouble)
memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
- else
+ else {
memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
+ vm.heap.writeBarrier(this);
+ }
return true;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes