[webkit-changes] [230264] trunk/Source/JavaScriptCore

Wed, 04 Apr 2018 10:43:00 -0700

Title: [230264] trunk/Source/_javascript_Core
Revision
230264
Author
fpi...@apple.com
Date
2018-04-04 10:42:11 -0700 (Wed, 04 Apr 2018)

Log Message

JSArray::appendMemcpy seems to be missing a barrier
https://bugs.webkit.org/show_bug.cgi?id=184290

Reviewed by Mark Lam.
        
If you write to an array that may contain pointers and you didn't just allocate it, then you need to
barrier right after.
        
I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.

* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (230263 => 230264)


--- trunk/Source/_javascript_Core/ChangeLog	2018-04-04 17:41:29 UTC (rev 230263)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-04-04 17:42:11 UTC (rev 230264)
@@ -1,5 +1,21 @@
 2018-04-03  Filip Pizlo  <fpi...@apple.com>
 
+        JSArray::appendMemcpy seems to be missing a barrier
+        https://bugs.webkit.org/show_bug.cgi?id=184290
+
+        Reviewed by Mark Lam.
+        
+        If you write to an array that may contain pointers and you didn't just allocate it, then you need to
+        barrier right after.
+        
+        I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
+        obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+
+2018-04-03  Filip Pizlo  <fpi...@apple.com>
+
         GC shouldn't do object distancing
         https://bugs.webkit.org/show_bug.cgi?id=184195

Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (230263 => 230264)


--- trunk/Source/_javascript_Core/runtime/JSArray.cpp	2018-04-04 17:41:29 UTC (rev 230263)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp	2018-04-04 17:42:11 UTC (rev 230264)
@@ -554,8 +554,10 @@
         }
     } else if (type == ArrayWithDouble)
         memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
-    else
+    else {
         memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
+        vm.heap.writeBarrier(this);
+    }
 
     return true;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to