Ignore:
Timestamp:
Oct 20, 2021, 11:27:53 PM (4 years ago)
Author:
[email protected]
Message:

*IsSane API's could take in the Structure's we're consulting, or they can be out parameters, so we don't rely on the CPU's memory ordering
https://bugs.webkit.org/show_bug.cgi?id=231996

Reviewed by Filip Pizlo.

objectPrototypeIsSane, arrayPrototypeChainIsSane, and stringPrototypeChainIsSane reloads structures from prototype objects while the caller
is already getting them and validating them. This introduces a race condition where structure transition happens just before calling these
APIs and we will see different structures which are already validated. This is simply wrong: if we validate one structure, then we should
continue using that and we should put a watchpoint on this structure. We should not reload structures from the prototype again.

We add Concurrently postfix to these functions, and passing structures to these APIs to continue using these structures instead of reloading
it from prototype objects. This eliminate the race condition we had, and this removes the necessity of load-load-fence on watchpoint state
retrieval.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGArgumentsEliminationPhase.cpp:
  • dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine const):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsicCall):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::setSaneChainIfPossible):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnString):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileStringCharAtImpl):

  • runtime/JSGlobalObject.h:
  • runtime/JSGlobalObjectInlines.h:

(JSC::JSGlobalObject::objectPrototypeIsSane):
(JSC::JSGlobalObject::arrayPrototypeChainIsSaneConcurrently):
(JSC::JSGlobalObject::stringPrototypeChainIsSaneConcurrently):
(JSC::JSGlobalObject::arrayPrototypeChainIsSane):
(JSC::JSGlobalObject::stringPrototypeChainIsSane):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

    r284330 r284590  
    261261            && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()
    262262            && objectPrototypeStructure->transitionWatchpointSetIsStillValid()
    263             && globalObject->arrayPrototypeChainIsSane()) {
     263            && globalObject->arrayPrototypeChainIsSaneConcurrently(arrayPrototypeStructure, objectPrototypeStructure)) {
    264264            graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
    265265            graph.registerAndWatchStructureTransition(objectPrototypeStructure);
    266             if (globalObject->arrayPrototypeChainIsSane())
     266            if (globalObject->arrayPrototypeChainIsSaneConcurrently(arrayPrototypeStructure, objectPrototypeStructure))
    267267                return withSpeculation(Array::InBoundsSaneChain);
    268268        }
Note: See TracChangeset for help on using the changeset viewer.