[webkit-changes] [208621] branches/safari-602-branch

Fri, 11 Nov 2016 15:49:29 -0800

Title: [208621] branches/safari-602-branch

Diff

Modified: branches/safari-602-branch/JSTests/ChangeLog (208620 => 208621)


--- branches/safari-602-branch/JSTests/ChangeLog	2016-11-11 23:43:29 UTC (rev 208620)
+++ branches/safari-602-branch/JSTests/ChangeLog	2016-11-11 23:50:28 UTC (rev 208621)
@@ -1,3 +1,19 @@
+2016-11-11  Matthew Hanson  <[email protected]>
+
+        Merge r208614. rdar://problem/29225966
+
+    2016-11-11  Saam Barati  <[email protected]>
+
+            We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
+            https://bugs.webkit.org/show_bug.cgi?id=164650
+
+            Reviewed by Geoffrey Garen.
+
+            * stress/dont-dead-lock-put-by-val-as-put-by-id.js: Added.
+            (ident):
+            (let.o.set foo):
+            (foo):
+
 2016-10-27  Mark Lam  <[email protected]>
 
         Merge r207518. rdar://problem/28216050, rdar://problem/28216232

Added: branches/safari-602-branch/JSTests/stress/dont-dead-lock-put-by-val-as-put-by-id.js (0 => 208621)


--- branches/safari-602-branch/JSTests/stress/dont-dead-lock-put-by-val-as-put-by-id.js	                        (rev 0)
+++ branches/safari-602-branch/JSTests/stress/dont-dead-lock-put-by-val-as-put-by-id.js	2016-11-11 23:50:28 UTC (rev 208621)
@@ -0,0 +1,17 @@
+function ident() { return "foo"; }
+noInline(ident);
+
+let o = {
+    set foo(x) {
+        foo(false);
+    }
+};
+
+function foo(cond) {
+    if (cond)
+        o[ident()] = 20;
+}
+
+for (let i = 0; i < 10000; i++) {
+    foo(true);
+}

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (208620 => 208621)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-11-11 23:43:29 UTC (rev 208620)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-11-11 23:50:28 UTC (rev 208621)
@@ -1,3 +1,23 @@
+2016-11-11  Matthew Hanson  <[email protected]>
+
+        Merge r208614. rdar://problem/29225966
+
+    2016-11-11  Saam Barati  <[email protected]>
+
+            We recursively grab a lock in the DFGBytecodeParser causing us to deadlock
+            https://bugs.webkit.org/show_bug.cgi?id=164650
+
+            Reviewed by Geoffrey Garen.
+
+            Some code was incorrectly holding a lock when recursively calling
+            back into the bytecode parser's via inlining a put_by_val as a put_by_id.
+            This can cause a deadlock if the inlinee CodeBlock is something we're
+            already holding a lock for. I've changed the range of the lock holder
+            to be as narrow as possible.
+
+            * dfg/DFGByteCodeParser.cpp:
+            (JSC::DFG::ByteCodeParser::parseBlock):
+
 2016-11-03  Matthew Hanson  <[email protected]>
 
         Merge r208299. rdar://problem/28857505

Modified: branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (208620 => 208621)


--- branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2016-11-11 23:43:29 UTC (rev 208620)
+++ branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2016-11-11 23:50:28 UTC (rev 208621)
@@ -4128,23 +4128,24 @@
             bool isDirect = opcodeID == op_put_by_val_direct;
             bool compiledAsPutById = false;
             {
-                ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
-                ByValInfo* byValInfo = m_inlineStackTop->m_byValInfos.get(CodeOrigin(currentCodeOrigin().bytecodeIndex));
-                // FIXME: When the bytecode is not compiled in the baseline JIT, byValInfo becomes null.
-                // At that time, there is no information.
-                if (byValInfo && byValInfo->stubInfo && !byValInfo->tookSlowPath && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)) {
-                    compiledAsPutById = true;
-                    unsigned identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
-                    UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
+                unsigned identifierNumber;
+                PutByIdStatus putByIdStatus;
+                {
+                    ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
+                    ByValInfo* byValInfo = m_inlineStackTop->m_byValInfos.get(CodeOrigin(currentCodeOrigin().bytecodeIndex));
+                    // FIXME: When the bytecode is not compiled in the baseline JIT, byValInfo becomes null.
+                    // At that time, there is no information.
+                    if (byValInfo && byValInfo->stubInfo && !byValInfo->tookSlowPath && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)) {
+                        compiledAsPutById = true;
+                        identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
+                        UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
 
-                    addToGraph(CheckIdent, OpInfo(uid), property);
+                        addToGraph(CheckIdent, OpInfo(uid), property);
+                    }
+                }
 
-                    PutByIdStatus putByIdStatus = PutByIdStatus::computeForStubInfo(
-                        locker, m_inlineStackTop->m_profiledBlock,
-                        byValInfo->stubInfo, currentCodeOrigin(), uid);
-
+                if (compiledAsPutById)
                     handlePutById(base, identifierNumber, value, putByIdStatus, isDirect);
-                }
             }
 
             if (!compiledAsPutById) {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to