Changeset 249706 in webkit for trunk/Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp

Timestamp:

Sep 9, 2019, 10:03:13 PM (6 years ago)

Author:

[email protected]

Message:

[JSC] CodeBlock::m_constantRegisters should be guarded by ConcurrentJSLock when Vector reallocate memory
​https://bugs.webkit.org/show_bug.cgi?id=201622

Reviewed by Mark Lam.

CodeBlock::visitChildren takes ConcurrentJSLock while iterating m_constantRegisters, some of the places reallocate
this Vector without taking a lock. If a Vector memory is reallocated while iterating it in concurrent collector,
the concurrent collector can see a garbage. This patch guards m_constantRegisters reallocation with ConcurrentJSLock.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finishCreation):
(JSC::CodeBlock::setConstantRegisters):

• bytecode/CodeBlock.h:

(JSC::CodeBlock::addConstant):
(JSC::CodeBlock::addConstantLazily):

• dfg/DFGDesiredWatchpoints.cpp:

(JSC::DFG::ArrayBufferViewWatchpointAdaptor::add):
(JSC::DFG::SymbolTableAdaptor::add):
(JSC::DFG::FunctionExecutableAdaptor::add):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::registerFrozenValues):

• dfg/DFGJITFinalizer.cpp:

(JSC::DFG::JITFinalizer::finalizeCommon):

• dfg/DFGLazyJSValue.cpp:

(JSC::DFG::LazyJSValue::emit const):

File:

• trunk/Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/dfg/DFGJITFinalizer.cpp

@@ -83 +83 @@
 {
     // Some JIT finalizers may have added more constants. Shrink-to-fit those things now.
-    m_plan.codeBlock()->constants().shrinkToFit();
-    m_plan.codeBlock()->constantsSourceCodeRepresentation().shrinkToFit();
+    {
+        ConcurrentJSLocker locker(m_plan.codeBlock()->m_lock);
+        m_plan.codeBlock()->constants().shrinkToFit();
+        m_plan.codeBlock()->constantsSourceCodeRepresentation().shrinkToFit();
+    }
 
 #if ENABLE(FTL_JIT)