Changeset 233124 in webkit for trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

Timestamp:

Jun 23, 2018, 3:47:58 AM (7 years ago)

Author:

[email protected]

Message:

We need to have a getDirectConcurrently for use in the compilers
​https://bugs.webkit.org/show_bug.cgi?id=186954

Reviewed by Mark Lam.

It used to be that the propertyStorage of an object never shrunk
so if you called getDirect with some offset it would never be an
OOB read. However, this property storage can shrink when calling
flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
holds the Structure's ConcurrentJSLock while shrinking. This patch,
adds a getDirectConcurrently that will safely try to load from the
butterfly.

• bytecode/ObjectPropertyConditionSet.cpp:
• bytecode/PropertyCondition.cpp:

(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::tryGetConstantProperty):

• runtime/JSObject.h:

(JSC::JSObject::getDirectConcurrently const):

File:

• trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/bytecode/PropertyCondition.cpp

@@ -238 +238 @@
         }
 
-        JSValue currentValue = base->getDirect(currentOffset);
+        JSValue currentValue = base->getDirectConcurrently(structure, currentOffset);
         if (currentValue != requiredValue()) {
             if (PropertyConditionInternal::verbose) {
@@ -393 +393 @@
 {
     Structure* structure = base->structure(vm);
-    if (!structure->isValidOffset(offset()))
-        return PropertyCondition();
-    JSValue value = base->getDirect(offset());
+
+    JSValue value = base->getDirectConcurrently(structure, offset());
     if (!isValidValueForPresence(vm, value))
         return PropertyCondition();