[webkit-changes] [WebKit/WebKit] 00352d: Cherry-pick b0a755e34426. https://bugs.webkit.org/...

Fri, 01 Dec 2023 11:04:15 -0800 

  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: 00352dd86bfa102b6e4b792120e3ef3498a27d1e
      
https://github.com/WebKit/WebKit/commit/00352dd86bfa102b6e4b792120e3ef3498a27d1e
  Author: Russell Epstein <[email protected]>
  Date:   2023-12-01 (Fri, 01 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/Structure.cpp

  Log Message:
  -----------
  Cherry-pick b0a755e34426. https://bugs.webkit.org/show_bug.cgi?id=265067

    Race condition between JSObject::getDirectConcurrently users and 
Structure::flattenDictionaryStructure
    https://bugs.webkit.org/show_bug.cgi?id=265067
    rdar://118548733

    Reviewed by Justin Michaud and Mark Lam.

    Like Array shift/unshift, flattenDictionaryStructure is the other code 
which can shrink butterfly for named properties (no other code does it).
    Compiler threads rely on the fact that normally named property storage 
never shrunk. And we should catch this exceptional case by taking a cellLock
    in the compiler thread. But flattenDictionaryStructure is not taking 
cellLock correctly.

    This patch computes afterOutOfLineCapacity first to detect that whether 
this flattening will shrink the butterfly.
    And if it is, then we take a cellLock. We do not need to take it if we do 
not shrink the butterfly.

    * Source/JavaScriptCore/runtime/Structure.cpp:
    (JSC::Structure::flattenDictionaryStructure):

    Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch

    Canonical link: 
https://commits.webkit.org/[email protected]


  Commit: 64c92ce9b94f1e6f8a132b41ea4dff3aa5c31ad1
      
https://github.com/WebKit/WebKit/commit/64c92ce9b94f1e6f8a132b41ea4dff3aa5c31ad1
  Author: Russell Epstein <[email protected]>
  Date:   2023-12-01 (Fri, 01 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/b3/B3LowerToAir.cpp
    M Source/JavaScriptCore/b3/air/AirValidate.cpp

  Log Message:
  -----------
  Cherry-pick 49ba637c4abb. <bug>

    Extr can overflow when imm=64, allowing a random register to be read
    rdar://118515062

    Reviewed by Yusuke Suzuki.

    Extr can overflow when imm=64, allowing a random register to be read.

    * Source/JavaScriptCore/b3/B3LowerToAir.cpp:
    * Source/JavaScriptCore/b3/air/AirValidate.cpp:

    Canonical link: https://commits.webkit.org/267815.574@safari-7617-branch

    Canonical link: 
https://commits.webkit.org/[email protected]


Compare: https://github.com/WebKit/WebKit/compare/44aeb48d175d...64c92ce9b94f
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to