Title: [258381] trunk/Source/_javascript_Core
- Revision
- 258381
- Author
- [email protected]
- Date
- 2020-03-12 21:16:36 -0700 (Thu, 12 Mar 2020)
Log Message
DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
https://bugs.webkit.org/show_bug.cgi?id=209035
Reviewed by Saam Barati.
It might be possible to produce a graph where the last reference to a TypedArray
is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
TypedArray in B3 we may end up not keeping the TypedArray alive until after the
storage access.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
(JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (258380 => 258381)
--- trunk/Source/_javascript_Core/ChangeLog 2020-03-13 03:47:55 UTC (rev 258380)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-03-13 04:16:36 UTC (rev 258381)
@@ -1,3 +1,20 @@
+2020-03-12 Keith Miller <[email protected]>
+
+ DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
+ https://bugs.webkit.org/show_bug.cgi?id=209035
+
+ Reviewed by Saam Barati.
+
+ It might be possible to produce a graph where the last reference to a TypedArray
+ is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
+ TypedArray in B3 we may end up not keeping the TypedArray alive until after the
+ storage access.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+ (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+
2020-03-12 Yusuke Suzuki <[email protected]>
[JSC] Use CacheableIdentifier in ByValInfo
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (258380 => 258381)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-03-13 03:47:55 UTC (rev 258380)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-03-13 04:16:36 UTC (rev 258381)
@@ -3838,7 +3838,9 @@
// the typed array storage, since that's as precise of an abstraction as we can have of shared
// array buffer storage.
m_heaps.decorateFencedAccess(&m_heaps.typedArrayProperties, atomicValue);
-
+
+ // We have to keep base alive since that keeps storage alive.
+ keepAlive(lowCell(baseEdge));
setIntTypedArrayLoadResult(result, type);
}
@@ -4693,6 +4695,7 @@
case Array::Uint32Array:
case Array::Float32Array:
case Array::Float64Array: {
+ LValue base = lowCell(m_graph.varArgChild(m_node, 0));
LValue index = lowInt32(m_graph.varArgChild(m_node, 1));
LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
@@ -4722,6 +4725,8 @@
DFG_CRASH(m_graph, m_node, "Bad typed array type");
}
+ // We have to keep base alive since that keeps storage alive.
+ keepAlive(base);
setDouble(result);
return;
}
@@ -5088,6 +5093,8 @@
m_out.appendTo(continuation, lastNext);
}
+ // We have to keep base alive since that keeps storage alive.
+ keepAlive(base);
return;
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
