[webkit-changes] [258582] branches/safari-609-branch/Source/JavaScriptCore

[alancoon]

Title: [258582] branches/safari-609-branch/Source/_javascript_Core

Revision

258582

Author

alanc...@apple.com

Date

2020-03-17 13:39:17 -0700 (Tue, 17 Mar 2020)

Log Message

Cherry-pick r258381. rdar://problem/60539195

    DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
    https://bugs.webkit.org/show_bug.cgi?id=209035

    Reviewed by Saam Barati.

    It might be possible to produce a graph where the last reference to a TypedArray
    is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
    TypedArray in B3 we may end up not keeping the TypedArray alive until after the
    storage access.

    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
    (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
    (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258381 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-609-branch/Source/_javascript_Core/ChangeLog
• branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Diff

Modified: branches/safari-609-branch/Source/_javascript_Core/ChangeLog (258581 => 258582)

--- branches/safari-609-branch/Source/_javascript_Core/ChangeLog	2020-03-17 20:39:14 UTC (rev 258581)
+++ branches/safari-609-branch/Source/_javascript_Core/ChangeLog	2020-03-17 20:39:17 UTC (rev 258582)
@@ -1,3 +1,42 @@
+2020-03-17  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r258381. rdar://problem/60539195
+
+    DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
+    https://bugs.webkit.org/show_bug.cgi?id=209035
+    
+    Reviewed by Saam Barati.
+    
+    It might be possible to produce a graph where the last reference to a TypedArray
+    is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
+    TypedArray in B3 we may end up not keeping the TypedArray alive until after the
+    storage access.
+    
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+    (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+    (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258381 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-03-12  Keith Miller  <keith_mil...@apple.com>
+
+            DFG nodes that take a TypedArray's storage need to keepAlive the TypedArray
+            https://bugs.webkit.org/show_bug.cgi?id=209035
+
+            Reviewed by Saam Barati.
+
+            It might be possible to produce a graph where the last reference to a TypedArray
+            is via a GetByVal or PutByVal. Since those nodes don't create any reference to the
+            TypedArray in B3 we may end up not keeping the TypedArray alive until after the
+            storage access.
+
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
+            (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+            (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+
 2020-03-09  Alan Coon  <alanc...@apple.com>
 
         Apply patch. rdar://problem/60183769

Modified: branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (258581 => 258582)

--- branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-03-17 20:39:14 UTC (rev 258581)
+++ branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-03-17 20:39:17 UTC (rev 258582)
@@ -3818,7 +3818,9 @@
         // the typed array storage, since that's as precise of an abstraction as we can have of shared
         // array buffer storage.
         m_heaps.decorateFencedAccess(&m_heaps.typedArrayProperties, atomicValue);
-        
+
+        // We have to keep base alive since that keeps storage alive.
+        keepAlive(lowCell(baseEdge));
         setIntTypedArrayLoadResult(result, type);
     }
     
@@ -4632,6 +4634,7 @@
         case Array::Uint32Array:
         case Array::Float32Array:
         case Array::Float64Array: {
+            LValue base = lowCell(m_graph.varArgChild(m_node, 0));
             LValue index = lowInt32(m_graph.varArgChild(m_node, 1));
             LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
             
@@ -4661,6 +4664,8 @@
                     DFG_CRASH(m_graph, m_node, "Bad typed array type");
                 }
                 
+                // We have to keep base alive since that keeps storage alive.
+                keepAlive(base);
                 setDouble(result);
                 return;
             }
@@ -5027,6 +5032,8 @@
                     m_out.appendTo(continuation, lastNext);
                 }
                 
+                // We have to keep base alive since that keeps storage alive.
+                keepAlive(base);
                 return;
             }
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes