[webkit-changes] [154245] trunk/Source/JavaScriptCore

Sat, 17 Aug 2013 20:08:46 -0700

Title: [154245] trunk/Source/_javascript_Core
Revision
154245
Author
[email protected]
Date
2013-08-17 20:08:52 -0700 (Sat, 17 Aug 2013)

Log Message

<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML

Reviewed by Filip Pizlo.

Added a new mode for DesiredWriteBarrier that allows it to track a position in a
Vector of WriteBarriers rather than the specific address. The fact that we were
arbitrarily storing into a Vector's backing store for constants at the end of
compilation after the Vector could have resized was causing crashes.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::constants):
(JSC::CodeBlock::addConstantLazily):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addConstant):
* dfg/DFGDesiredWriteBarriers.cpp:
(JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
(JSC::DFG::DesiredWriteBarrier::trigger):
(JSC::DFG::initializeLazyWriteBarrierForConstant):
* dfg/DFGDesiredWriteBarriers.h:
(JSC::DFG::DesiredWriteBarriers::add):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::truncateConstantToInt32):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::constantRegisterForConstant):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (154244 => 154245)


--- trunk/Source/_javascript_Core/ChangeLog	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-08-18 03:08:52 UTC (rev 154245)
@@ -1,3 +1,30 @@
+2013-08-17  Mark Hahnenberg  <[email protected]>
+
+        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
+
+        Reviewed by Filip Pizlo.
+
+        Added a new mode for DesiredWriteBarrier that allows it to track a position in a 
+        Vector of WriteBarriers rather than the specific address. The fact that we were 
+        arbitrarily storing into a Vector's backing store for constants at the end of 
+        compilation after the Vector could have resized was causing crashes.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::constants):
+        (JSC::CodeBlock::addConstantLazily):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::addConstant):
+        * dfg/DFGDesiredWriteBarriers.cpp:
+        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
+        (JSC::DFG::DesiredWriteBarrier::trigger):
+        (JSC::DFG::initializeLazyWriteBarrierForConstant):
+        * dfg/DFGDesiredWriteBarriers.h:
+        (JSC::DFG::DesiredWriteBarriers::add):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::truncateConstantToInt32):
+        * dfg/DFGGraph.h:
+        (JSC::DFG::Graph::constantRegisterForConstant):
+
 2013-08-16  Filip Pizlo  <[email protected]>
 
         DFG should optimize typedArray.byteLength

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (154244 => 154245)


--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2013-08-18 03:08:52 UTC (rev 154245)
@@ -684,6 +684,7 @@
     const Identifier& identifier(int index) const { return m_unlinkedCode->identifier(index); }
 #endif
 
+    Vector<WriteBarrier<Unknown> >& constants() { return m_constantRegisters; }
     size_t numberOfConstantRegisters() const { return m_constantRegisters.size(); }
     unsigned addConstant(JSValue v)
     {
@@ -693,10 +694,11 @@
         return result;
     }
 
-    WriteBarrier<Unknown>& addConstantLazily()
+    unsigned addConstantLazily()
     {
+        unsigned result = m_constantRegisters.size();
         m_constantRegisters.append(WriteBarrier<Unknown>());
-        return m_constantRegisters.last();
+        return result;
     }
 
     bool findConstant(JSValue, unsigned& result);

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (154244 => 154245)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-08-18 03:08:52 UTC (rev 154245)
@@ -403,8 +403,8 @@
 
     void addConstant(JSValue value)
     {
-        initializeLazyWriteBarrier(
-            m_codeBlock->addConstantLazily(), 
+        initializeLazyWriteBarrierForConstant(
+            m_codeBlock,
             m_graph.m_plan.writeBarriers, 
             m_codeBlock->ownerExecutable(), 
             value);

Modified: trunk/Source/_javascript_Core/dfg/DFGDesiredWriteBarriers.cpp (154244 => 154245)


--- trunk/Source/_javascript_Core/dfg/DFGDesiredWriteBarriers.cpp	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/dfg/DFGDesiredWriteBarriers.cpp	2013-08-18 03:08:52 UTC (rev 154245)
@@ -26,19 +26,42 @@
 #include "config.h"
 #include "DFGDesiredWriteBarriers.h"
 
+#include "CodeBlock.h"
 #include "JSCJSValueInlines.h"
 
 namespace JSC { namespace DFG {
 
 DesiredWriteBarrier::DesiredWriteBarrier(WriteBarrier<Unknown>* barrier, JSCell* owner)
-    : m_barrier(barrier)
-    , m_owner(owner)
+    : m_owner(owner)
+    , m_type(NormalType)
 {
+    u.m_barrier = barrier;
 }
 
+DesiredWriteBarrier::DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >* barriers, unsigned index, JSCell* owner)
+    : m_owner(owner)
+    , m_type(VectorType)
+{
+    u.barrier_vector.m_barriers = barriers;
+    u.barrier_vector.m_index = index;
+}
+
 void DesiredWriteBarrier::trigger(VM& vm)
 {
-    m_barrier->set(vm, m_owner, m_barrier->get());
+    switch (m_type) {
+    case NormalType: {
+        u.m_barrier->set(vm, m_owner, u.m_barrier->get());
+        break;
+    }
+
+    case VectorType: {
+        unsigned index = u.barrier_vector.m_index;
+        WriteBarrier<Unknown>& barrier = u.barrier_vector.m_barriers->at(index);
+        barrier.set(vm, m_owner, barrier.get());
+        break;
+    }
+
+    }
 }
 
 DesiredWriteBarriers::DesiredWriteBarriers()
@@ -61,4 +84,12 @@
         m_barriers[i].trigger(vm);
 }
 
+void initializeLazyWriteBarrierForConstant(CodeBlock* codeBlock, DesiredWriteBarriers& barriers, JSCell* owner, JSValue value)
+{
+    unsigned constantIndex = codeBlock->addConstantLazily();
+    WriteBarrier<Unknown>& barrier = codeBlock->constants()[constantIndex];
+    barrier = WriteBarrier<Unknown>(
+        barriers.add(codeBlock->constants(), constantIndex, owner), value);
+}
+
 } } // namespace JSC::DFG

Modified: trunk/Source/_javascript_Core/dfg/DFGDesiredWriteBarriers.h (154244 => 154245)


--- trunk/Source/_javascript_Core/dfg/DFGDesiredWriteBarriers.h	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/dfg/DFGDesiredWriteBarriers.h	2013-08-18 03:08:52 UTC (rev 154245)
@@ -38,12 +38,21 @@
 class DesiredWriteBarrier {
 public:
     DesiredWriteBarrier(WriteBarrier<Unknown>*, JSCell* owner);
+    DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >*, unsigned index, JSCell* owner);
 
     void trigger(VM&);
 
 private:
-    WriteBarrier<Unknown>* m_barrier;
     JSCell* m_owner;
+    enum WriteBarrierType { NormalType, VectorType };
+    WriteBarrierType m_type;
+    union {
+        WriteBarrier<Unknown>* m_barrier;
+        struct {
+            Vector<WriteBarrier<Unknown> >* m_barriers;
+            unsigned m_index;
+        } barrier_vector;
+    } u;
 };
 
 class DesiredWriteBarriers {
@@ -57,6 +66,12 @@
         return addImpl(reinterpret_cast<WriteBarrier<Unknown>*>(&barrier), owner);
     }
 
+    DesiredWriteBarrier& add(Vector<WriteBarrier<Unknown> >& barriers, unsigned index, JSCell* owner)
+    {
+        m_barriers.append(DesiredWriteBarrier(&barriers, index, owner));
+        return m_barriers.last();
+    }
+
     void trigger(VM&);
 
 private:
@@ -71,6 +86,8 @@
     barrier = WriteBarrier<T>(barriers.add(barrier, owner), value);
 }
 
+void initializeLazyWriteBarrierForConstant(CodeBlock*, DesiredWriteBarriers&, JSCell* owner, JSValue);
+
 } } // namespace JSC::DFG
 
 #endif // DFGDesiredWriteBarriers_h

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (154244 => 154245)


--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2013-08-18 03:08:52 UTC (rev 154245)
@@ -1372,8 +1372,8 @@
         ASSERT(value.isInt32());
         unsigned constantRegister;
         if (!codeBlock()->findConstant(value, constantRegister)) {
-            initializeLazyWriteBarrier(
-                codeBlock()->addConstantLazily(),
+            initializeLazyWriteBarrierForConstant(
+                codeBlock(),
                 m_graph.m_plan.writeBarriers,
                 codeBlock()->ownerExecutable(),
                 value);

Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.h (154244 => 154245)


--- trunk/Source/_javascript_Core/dfg/DFGGraph.h	2013-08-18 02:55:11 UTC (rev 154244)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.h	2013-08-18 03:08:52 UTC (rev 154245)
@@ -155,8 +155,8 @@
     {
         unsigned constantRegister;
         if (!m_codeBlock->findConstant(value, constantRegister)) {
-            initializeLazyWriteBarrier(
-                m_codeBlock->addConstantLazily(),
+            initializeLazyWriteBarrierForConstant(
+                m_codeBlock,
                 m_plan.writeBarriers,
                 m_codeBlock->ownerExecutable(),
                 value);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to