[webkit-changes] [245652] trunk

[tzagallo]

Title: [245652] trunk

Revision

245652

Author

tzaga...@apple.com

Date

2019-05-22 15:19:38 -0700 (Wed, 22 May 2019)

Log Message

JSTests:
llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
https://bugs.webkit.org/show_bug.cgi?id=198120
<rdar://problem/49668795>

Reviewed by Michael Saboff.

* stress/get-array-length-concurrently-change-mode.js: Added.
(main):

Source/_javascript_Core:
llint_slow_path_get_by_id needs to hold the CodeBlock's lock to update the metadata's mode
https://bugs.webkit.org/show_bug.cgi?id=198120
<rdar://problem/49668795>

Reviewed by Michael Saboff.

There are two places in llint_slow_path_get_by_id where we change the
metadata's mode without holding the CodeBlock's lock. This is an issue
when switching to and from ArrayLength mode, since other places can
either get a pointer to an array profile that will be overwritten or
an array profile that hasn't yet been initialized.

* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp

Added Paths

• trunk/JSTests/stress/get-array-length-concurrently-change-mode.js

Diff

Modified: trunk/JSTests/ChangeLog (245651 => 245652)

--- trunk/JSTests/ChangeLog	2019-05-22 22:08:25 UTC (rev 245651)
+++ trunk/JSTests/ChangeLog	2019-05-22 22:19:38 UTC (rev 245652)
@@ -1,3 +1,14 @@
+2019-05-22  Tadeu Zagallo  <tzaga...@apple.com>
+
+        llint_slow_path_get_by_id needs to hold the CodeBlock's to update the metadata's mode
+        https://bugs.webkit.org/show_bug.cgi?id=198120
+        <rdar://problem/49668795>
+
+        Reviewed by Michael Saboff.
+
+        * stress/get-array-length-concurrently-change-mode.js: Added.
+        (main):
+
 2019-05-22  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r245634.

Added: trunk/JSTests/stress/get-array-length-concurrently-change-mode.js (0 => 245652)

--- trunk/JSTests/stress/get-array-length-concurrently-change-mode.js	                        (rev 0)
+++ trunk/JSTests/stress/get-array-length-concurrently-change-mode.js	2019-05-22 22:19:38 UTC (rev 245652)
@@ -0,0 +1,19 @@
+//@ requireOptions("--watchdog=10000", "--watchdog-exception-ok")
+function main() {
+    runString(`
+        function bar(_a) {
+          eval(_a);
+          arguments.length = 0;
+          var array = [
+            arguments,
+            [0]
+          ];
+          var result = 0;
+          for (var i = 0; i < 1000000; ++i)
+            result += array[i % array.length].length;
+        }
+        bar('bar()');
+    `);
+    main();
+}
+main();

Modified: trunk/Source/_javascript_Core/ChangeLog (245651 => 245652)

--- trunk/Source/_javascript_Core/ChangeLog	2019-05-22 22:08:25 UTC (rev 245651)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-05-22 22:19:38 UTC (rev 245652)
@@ -1,3 +1,20 @@
+2019-05-22  Tadeu Zagallo  <tzaga...@apple.com>
+
+        llint_slow_path_get_by_id needs to hold the CodeBlock's lock to update the metadata's mode
+        https://bugs.webkit.org/show_bug.cgi?id=198120
+        <rdar://problem/49668795>
+
+        Reviewed by Michael Saboff.
+
+        There are two places in llint_slow_path_get_by_id where we change the
+        metadata's mode without holding the CodeBlock's lock. This is an issue
+        when switching to and from ArrayLength mode, since other places can
+        either get a pointer to an array profile that will be overwritten or
+        an array profile that hasn't yet been initialized.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
 2019-05-22  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r245634.

Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (245651 => 245652)

--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2019-05-22 22:08:25 UTC (rev 245651)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2019-05-22 22:19:38 UTC (rev 245652)
@@ -803,6 +803,8 @@
         JSCell* baseCell = baseValue.asCell();
         Structure* structure = baseCell->structure(vm);
         if (slot.isValue() && slot.slotBase() == baseValue) {
+            ConcurrentJSLocker locker(codeBlock->m_lock);
+
             // Start out by clearing out the old cache.
             metadata.m_mode = GetByIdMode::Default;
             metadata.m_modeMetadata.defaultMode.structureID = 0;
@@ -814,8 +816,6 @@
             if (structure->propertyAccessesAreCacheable()
                 && !structure->needImpurePropertyWatchpoint()) {
                 vm.heap.writeBarrier(codeBlock);
-                
-                ConcurrentJSLocker locker(codeBlock->m_lock);
 
                 metadata.m_modeMetadata.defaultMode.structureID = structure->id();
                 metadata.m_modeMetadata.defaultMode.cachedOffset = slot.cachedOffset();
@@ -829,6 +829,7 @@
     } else if (!LLINT_ALWAYS_ACCESS_SLOW
         && isJSArray(baseValue)
         && ident == vm.propertyNames->length) {
+        ConcurrentJSLocker locker(codeBlock->m_lock);
         metadata.m_mode = GetByIdMode::ArrayLength;
         new (&metadata.m_modeMetadata.arrayLengthMode.arrayProfile) ArrayProfile(codeBlock->bytecodeOffset(pc));
         metadata.m_modeMetadata.arrayLengthMode.arrayProfile.observeStructure(baseValue.asCell()->structure(vm));

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes