Ignore:
Timestamp:
Nov 6, 2019, 4:29:19 PM (6 years ago)
Author:
[email protected]
Message:

JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should fire its watchpoint as the last step.
https://bugs.webkit.org/show_bug.cgi?id=203867
<rdar://problem/56813514>

Reviewed by Saam Barati.

JSTests:

  • stress/racy-slow-put-cloned-arguments-when-having-a-bad-time.js: Added.

Source/JavaScriptCore:

JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should make all
the array structures SlowPut before firing the watchpoint. Otherwise, the
concurrent JIT may think it's grabbing the slow put version of the structure, but
is actually grabbing the non-SlowPut version because it happened to beat the
mutator in a race to read the structure before the mutator makes it SlowPut.

Also removed some assertions in DFGSpeculativeJIT.cpp that are vulnerable to races
between when the mutator makes all array structures SlowPut and when it fires the
HavingABadTime watchpoint. The FTL equivalent did not have these assertions.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileCreateRest):
(JSC::DFG::SpeculativeJIT::compileNewArray):
(JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r252021 r252160  
    78167816        // arguments to have arrayLength exceed MIN_ARRAY_STORAGE_CONSTRUCTION_LENGTH.
    78177817        bool shouldAllowForArrayStorageStructureForLargeArrays = false;
    7818         ASSERT(m_jit.graph().globalObjectFor(node->origin.semantic)->restParameterStructure()->indexingMode() == ArrayWithContiguous || m_jit.graph().globalObjectFor(node->origin.semantic)->isHavingABadTime());
    78197818        compileAllocateNewArrayWithSize(m_jit.graph().globalObjectFor(node->origin.semantic), arrayResultGPR, arrayLengthGPR, ArrayWithContiguous, shouldAllowForArrayStorageStructureForLargeArrays);
    78207819
     
    79807979    RegisteredStructure structure = m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
    79817980    if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(node->indexingType())) {
    7982         DFG_ASSERT(m_jit.graph(), node, structure->indexingType() == node->indexingType(), structure->indexingType(), node->indexingType());
    79837981        ASSERT(
    79847982            hasUndecided(structure->indexingType())
     
    81748172            // non-ArrayStorage shaped array.
    81758173            bool shouldAllowForArrayStorageStructureForLargeArrays = false;
    8176             ASSERT(m_jit.graph().globalObjectFor(node->origin.semantic)->restParameterStructure()->indexingType() == ArrayWithContiguous || m_jit.graph().globalObjectFor(node->origin.semantic)->isHavingABadTime());
    81778174            compileAllocateNewArrayWithSize(m_jit.graph().globalObjectFor(node->origin.semantic), resultGPR, lengthGPR, ArrayWithContiguous, shouldAllowForArrayStorageStructureForLargeArrays);
    81788175        }
Note: See TracChangeset for help on using the changeset viewer.