[webkit-changes] [241610] trunk/Source/JavaScriptCore

[ysuzuki]

Title: [241610] trunk/Source/_javascript_Core

Revision

241610

Author

ysuz...@apple.com

Date

2019-02-15 13:21:44 -0800 (Fri, 15 Feb 2019)

Log Message

[JSC] DFG, FTL, and Wasm worklist creation should be fenced
https://bugs.webkit.org/show_bug.cgi?id=194714

Reviewed by Mark Lam.

Let's consider about the following extreme case.

1. VM (A) is created.
2. Another VM (B) is created on a different thread.
3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
6. (A) sees the half-baked worklist, which may be in the middle of creation.

This patch puts store-store fence just before putting a pointer to a global variable.
This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.

* dfg/DFGWorklist.cpp:
(JSC::DFG::ensureGlobalDFGWorklist):
(JSC::DFG::ensureGlobalFTLWorklist):
* wasm/WasmWorklist.cpp:
(JSC::Wasm::ensureWorklist):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp
• trunk/Source/_javascript_Core/wasm/WasmWorklist.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (241609 => 241610)

--- trunk/Source/_javascript_Core/ChangeLog	2019-02-15 21:18:47 UTC (rev 241609)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-02-15 21:21:44 UTC (rev 241610)
@@ -1,3 +1,28 @@
+2019-02-15  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] DFG, FTL, and Wasm worklist creation should be fenced
+        https://bugs.webkit.org/show_bug.cgi?id=194714
+
+        Reviewed by Mark Lam.
+
+        Let's consider about the following extreme case.
+
+        1. VM (A) is created.
+        2. Another VM (B) is created on a different thread.
+        3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
+        4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
+        5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
+        6. (A) sees the half-baked worklist, which may be in the middle of creation.
+
+        This patch puts store-store fence just before putting a pointer to a global variable.
+        This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
+
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::ensureGlobalDFGWorklist):
+        (JSC::DFG::ensureGlobalFTLWorklist):
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::ensureWorklist):
+
 2019-02-15  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r241559 and r241566.

Modified: trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp (241609 => 241610)

--- trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp	2019-02-15 21:18:47 UTC (rev 241609)
+++ trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp	2019-02-15 21:21:44 UTC (rev 241610)
@@ -570,7 +570,9 @@
 {
     static std::once_flag initializeGlobalWorklistOnceFlag;
     std::call_once(initializeGlobalWorklistOnceFlag, [] {
-        theGlobalDFGWorklist = &Worklist::create("DFG", getNumberOfDFGCompilerThreads(), Options::priorityDeltaOfDFGCompilerThreads()).leakRef();
+        Worklist* worklist = &Worklist::create("DFG", getNumberOfDFGCompilerThreads(), Options::priorityDeltaOfDFGCompilerThreads()).leakRef();
+        WTF::storeStoreFence();
+        theGlobalDFGWorklist = worklist;
     });
     return *theGlobalDFGWorklist;
 }
@@ -586,7 +588,9 @@
 {
     static std::once_flag initializeGlobalWorklistOnceFlag;
     std::call_once(initializeGlobalWorklistOnceFlag, [] {
-        theGlobalFTLWorklist = &Worklist::create("FTL", getNumberOfFTLCompilerThreads(), Options::priorityDeltaOfFTLCompilerThreads()).leakRef();
+        Worklist* worklist = &Worklist::create("FTL", getNumberOfFTLCompilerThreads(), Options::priorityDeltaOfFTLCompilerThreads()).leakRef();
+        WTF::storeStoreFence();
+        theGlobalFTLWorklist = worklist;
     });
     return *theGlobalFTLWorklist;
 }

Modified: trunk/Source/_javascript_Core/wasm/WasmWorklist.cpp (241609 => 241610)

--- trunk/Source/_javascript_Core/wasm/WasmWorklist.cpp	2019-02-15 21:18:47 UTC (rev 241609)
+++ trunk/Source/_javascript_Core/wasm/WasmWorklist.cpp	2019-02-15 21:21:44 UTC (rev 241610)
@@ -232,7 +232,9 @@
 {
     static std::once_flag initializeWorklist;
     std::call_once(initializeWorklist, [] {
-        globalWorklist = new Worklist();
+        Worklist* worklist = new Worklist();
+        WTF::storeStoreFence();
+        globalWorklist = worklist;
     });
     return *globalWorklist;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes