Changeset 218552 in webkit for trunk/Source/JavaScriptCore/jit/Repatch.cpp

Timestamp:

Jun 20, 2017, 12:15:19 AM (8 years ago)

Author:

[email protected]

Message:

repatchIn needs to lock the CodeBlock's lock
​https://bugs.webkit.org/show_bug.cgi?id=173573

Reviewed by Yusuke Suzuki.

CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
an IC, we must hold the CodeBlock's to prevent the executing thread from racing
with the marking thread. repatchIn was not grabbing the lock. I haven't been
able to get it to crash, but this is needed for the same reasons that get and put IC
regeneration grab the lock.

• jit/Repatch.cpp:

(JSC::repatchIn):

File:

• trunk/Source/JavaScriptCore/jit/Repatch.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/jit/Repatch.cpp

@@ -556 +556 @@
 {
     SuperSamplerScope superSamplerScope(false);
+    GCSafeConcurrentJSLocker locker(exec->codeBlock()->m_lock, exec->vm().heap);
     if (tryRepatchIn(exec, base, ident, wasFound, slot, stubInfo) == GiveUpOnCache)
         ftlThunkAwareRepatchCall(exec->codeBlock(), stubInfo.slowPathCallLocation(), operationIn);