Title: [230432] releases/WebKitGTK/webkit-2.20/Source/_javascript_Core
Revision
230432
Author
carlo...@webkit.org
Date
2018-04-09 08:46:50 -0700 (Mon, 09 Apr 2018)

Log Message

Merge r230264 - JSArray::appendMemcpy seems to be missing a barrier
https://bugs.webkit.org/show_bug.cgi?id=184290

Reviewed by Mark Lam.

If you write to an array that may contain pointers and you didn't just allocate it, then you need to
barrier right after.

I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.

* runtime/JSArray.cpp:
(JSC::JSArray::appendMemcpy):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (230431 => 230432)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-04-09 15:46:45 UTC (rev 230431)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-04-09 15:46:50 UTC (rev 230432)
@@ -1,3 +1,19 @@
+2018-04-03  Filip Pizlo  <fpi...@apple.com>
+
+        JSArray::appendMemcpy seems to be missing a barrier
+        https://bugs.webkit.org/show_bug.cgi?id=184290
+
+        Reviewed by Mark Lam.
+        
+        If you write to an array that may contain pointers and you didn't just allocate it, then you need to
+        barrier right after.
+        
+        I don't know if this is really a bug - it's possible that all callers of appendMemcpy do things that
+        obviate the need for this barrier. But these barriers are cheap, so we should do them if in doubt.
+
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::appendMemcpy):
+
 2018-03-31  Filip Pizlo  <fpi...@apple.com>
 
         JSC crash in JIT code with for-of loop and Array/Set iterators

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSArray.cpp (230431 => 230432)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSArray.cpp	2018-04-09 15:46:45 UTC (rev 230431)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSArray.cpp	2018-04-09 15:46:50 UTC (rev 230432)
@@ -554,8 +554,10 @@
         }
     } else if (type == ArrayWithDouble)
         memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
-    else
+    else {
         memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
+        vm.heap.writeBarrier(this);
+    }
 
     return true;
 }
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to