Changeset 157413 in webkit

Timestamp:

Oct 14, 2013, 12:34:44 PM (12 years ago)

Author:

[email protected]

Message:

llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
​https://bugs.webkit.org/show_bug.cgi?id=122667

Reviewed by Filip Pizlo.

The issue this patch is attempting to fix is that there are places in our codebase
where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
operations that can initiate a garbage collection. Garbage collection then calls
some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
always necessarily run during garbage collection). This causes a deadlock.

To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores
into a thread-local field that indicates that it is unsafe to perform any operation
that could trigger garbage collection on the current thread. In debug builds,
ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly
detect deadlocks.

This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
which uses the DeferGC mechanism to prevent collections from occurring while the
lock is held.

• CMakeLists.txt:
• GNUmakefile.list.am:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
• JavaScriptCore.xcodeproj/project.pbxproj:
• heap/DeferGC.cpp: Added.
• heap/DeferGC.h:

(JSC::DisallowGC::DisallowGC):
(JSC::DisallowGC::~DisallowGC):
(JSC::DisallowGC::isGCDisallowedOnCurrentThread):
(JSC::DisallowGC::initialize):

• jit/JITStubs.cpp:

(JSC::tryCachePutByID):
(JSC::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):

• llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

• runtime/ConcurrentJITLock.h:

(JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
(JSC::ConcurrentJITLockerBase::unlockEarly):
(JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
(JSC::ConcurrentJITLocker::ConcurrentJITLocker):

• runtime/InitializeThreading.cpp:

(JSC::initializeThreadingOnce):

• runtime/JSCellInlines.h:

(JSC::allocateCell):

• runtime/Structure.cpp:

(JSC::Structure::materializePropertyMap):
(JSC::Structure::putSpecificValue):
(JSC::Structure::createPropertyMap):

• runtime/Structure.h:

Location:

trunk/Source/JavaScriptCore

Files:

• CMakeLists.txt (modified) (1 diff)
• ChangeLog (modified) (1 diff)
• GNUmakefile.list.am (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (2 diffs)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (modified) (2 diffs)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (8 diffs)
• heap/DeferGC.cpp (added)
• heap/DeferGC.h (modified) (2 diffs)
• jit/JITStubs.cpp (modified) (2 diffs)
• llint/LLIntSlowPaths.cpp (modified) (1 diff)
• runtime/ConcurrentJITLock.h (modified) (2 diffs)
• runtime/InitializeThreading.cpp (modified) (1 diff)
• runtime/JSCellInlines.h (modified) (2 diffs)
• runtime/Structure.cpp (modified) (3 diffs)
• runtime/Structure.h (modified) (1 diff)

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -182 +182 @@
     heap/CopiedSpace.cpp
     heap/CopyVisitor.cpp
+    heap/DeferGC.cpp
     heap/GCThread.cpp
     heap/GCThreadSharedData.cpp

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-10-11  Mark Hahnenberg  <[email protected]>
+
+        llint_slow_path_put_by_id can deadlock on a ConcurrentJITLock
+        https://bugs.webkit.org/show_bug.cgi?id=122667
+
+        Reviewed by Filip Pizlo.
+
+        The issue this patch is attempting to fix is that there are places in our codebase
+        where we acquire the ConcurrentJITLock for a particular CodeBlock, then we do some
+        operations that can initiate a garbage collection. Garbage collection then calls 
+        some methods of CodeBlock that also take the ConcurrentJITLock (because they don't
+        always necessarily run during garbage collection). This causes a deadlock.
+
+        To fix this issue, this patch adds a new RAII-style object (DisallowGC) that stores 
+        into a thread-local field that indicates that it is unsafe to perform any operation 
+        that could trigger garbage collection on the current thread. In debug builds, 
+        ConcurrentJITLocker contains one of these DisallowGC objects so that we can eagerly 
+        detect deadlocks.
+
+        This patch also adds a new type of ConcurrentJITLocker, GCSafeConcurrentJITLocker,
+        which uses the DeferGC mechanism to prevent collections from occurring while the 
+        lock is held.
+
+        * CMakeLists.txt:
+        * GNUmakefile.list.am:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+        * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/DeferGC.cpp: Added.
+        * heap/DeferGC.h:
+        (JSC::DisallowGC::DisallowGC):
+        (JSC::DisallowGC::~DisallowGC):
+        (JSC::DisallowGC::isGCDisallowedOnCurrentThread):
+        (JSC::DisallowGC::initialize):
+        * jit/JITStubs.cpp:
+        (JSC::tryCachePutByID):
+        (JSC::tryCacheGetByID):
+        (JSC::DEFINE_STUB_FUNCTION):
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+        * runtime/ConcurrentJITLock.h:
+        (JSC::ConcurrentJITLockerBase::ConcurrentJITLockerBase):
+        (JSC::ConcurrentJITLockerBase::~ConcurrentJITLockerBase):
+        (JSC::ConcurrentJITLockerBase::unlockEarly):
+        (JSC::GCSafeConcurrentJITLocker::GCSafeConcurrentJITLocker):
+        (JSC::ConcurrentJITLocker::ConcurrentJITLocker):
+        * runtime/InitializeThreading.cpp:
+        (JSC::initializeThreadingOnce):
+        * runtime/JSCellInlines.h:
+        (JSC::allocateCell):
+        * runtime/Structure.cpp:
+        (JSC::Structure::materializePropertyMap):
+        (JSC::Structure::putSpecificValue):
+        (JSC::Structure::createPropertyMap):
+        * runtime/Structure.h:
+
 2013-10-14  Filip Pizlo  <[email protected]>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -468 +468 @@
         Source/JavaScriptCore/heap/ConservativeRoots.cpp \
         Source/JavaScriptCore/heap/ConservativeRoots.h \
+        Source/JavaScriptCore/heap/DeferGC.cpp \
         Source/JavaScriptCore/heap/DeferGC.h \
         Source/JavaScriptCore/heap/GCAssertions.h \

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -337 +337 @@
     <ClCompile Include="..\heap\CopiedSpace.cpp" />
     <ClCompile Include="..\heap\CopyVisitor.cpp" />
+    <ClCompile Include="..\heap\DeferGC.cpp" />
     <ClCompile Include="..\heap\GCThread.cpp" />
     <ClCompile Include="..\heap\GCThreadSharedData.cpp" />
@@ -705 +706 @@
     <ClInclude Include="..\heap\CopyVisitorInlines.h" />
     <ClInclude Include="..\heap\CopyWorkList.h" />
+    <ClInclude Include="..\heap\DeferGC.h" />
     <ClInclude Include="..\heap\GCAssertions.h" />
     <ClInclude Include="..\heap\GCThread.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters

@@ -874 +874 @@
       <Filter>heap</Filter>
     </ClCompile>
+    <ClCompile Include="..\heap\DeferGC.cpp">
+      <Filter>heap</Filter>
+    </ClCompile>
     <ClCompile Include="..\bytecode\DeferredCompilationCallback.cpp">
       <Filter>bytecode</Filter>
@@ -1222 +1225 @@
     </ClInclude>
     <ClInclude Include="..\heap\CopyWorkList.h">
+      <Filter>heap</Filter>
+    </ClInclude>
+    <ClInclude Include="..\heap\DeferGC.h">
       <Filter>heap</Filter>
     </ClInclude>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -374 +374 @@
                 0FC81516140511B500CFA603 /* VTableSpectrum.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FC815121405118600CFA603 /* VTableSpectrum.cpp */; };
                 0FCCAE4516D0CF7400D0C65B /* ParserError.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCCAE4316D0CF6E00D0C65B /* ParserError.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                0FCEFAAB1804C13E00472CE4 /* FTLSaveRestore.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */; };
+                0FCEFAAC1804C13E00472CE4 /* FTLSaveRestore.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FCEFAB01805CA6D00472CE4 /* InitializeLLVM.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFAAE1805CA6D00472CE4 /* InitializeLLVM.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FCEFAB11805CA6D00472CE4 /* InitializeLLVMMac.mm in Sources */ = {isa = PBXBuildFile; fileRef = 0FCEFAAF1805CA6D00472CE4 /* InitializeLLVMMac.mm */; };
@@ -390 +392 @@
                 0FCEFADA180620DA00472CE4 /* LLVMAPI.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFAC81805E75500472CE4 /* LLVMAPI.h */; };
                 0FCEFADC18064A1400472CE4 /* config_llvm.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFADB18064A1400472CE4 /* config_llvm.h */; };
-                0FCEFAAB1804C13E00472CE4 /* FTLSaveRestore.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */; };
-                0FCEFAAC1804C13E00472CE4 /* FTLSaveRestore.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0FCEFADF180738C000472CE4 /* FTLLocation.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0FCEFADD180738C000472CE4 /* FTLLocation.cpp */; };
                 0FCEFAE0180738C000472CE4 /* FTLLocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0FCEFADE180738C000472CE4 /* FTLLocation.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -685 +685 @@
                 2A48D1911772365B00C65A5F /* APICallbackFunction.h in Headers */ = {isa = PBXBuildFile; fileRef = C211B574176A224D000E2A23 /* APICallbackFunction.h */; };
                 2A6F462617E959CE00C45C98 /* HeapOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A6F462517E959CE00C45C98 /* HeapOperation.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */; };
                 2AD8932B17E3868F00668276 /* HeapIterationScope.h in Headers */ = {isa = PBXBuildFile; fileRef = 2AD8932917E3868F00668276 /* HeapIterationScope.h */; };
                 371D842D17C98B6E00ECF994 /* libz.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 371D842C17C98B6E00ECF994 /* libz.dylib */; };
@@ -1628 +1629 @@
                 0FCB408515C0A3C30048932B /* SlotVisitorInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SlotVisitorInlines.h; sourceTree = "<group>"; };
                 0FCCAE4316D0CF6E00D0C65B /* ParserError.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ParserError.h; sourceTree = "<group>"; };
+                0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLSaveRestore.cpp; path = ftl/FTLSaveRestore.cpp; sourceTree = "<group>"; };
+                0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLSaveRestore.h; path = ftl/FTLSaveRestore.h; sourceTree = "<group>"; };
                 0FCEFAAE1805CA6D00472CE4 /* InitializeLLVM.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = InitializeLLVM.h; path = llvm/InitializeLLVM.h; sourceTree = "<group>"; };
                 0FCEFAAF1805CA6D00472CE4 /* InitializeLLVMMac.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; name = InitializeLLVMMac.mm; path = llvm/InitializeLLVMMac.mm; sourceTree = "<group>"; };
@@ -1643 +1646 @@
                 0FCEFAD61806174600472CE4 /* LLVMAnchor.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = LLVMAnchor.cpp; sourceTree = "<group>"; };
                 0FCEFADB18064A1400472CE4 /* config_llvm.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = config_llvm.h; sourceTree = "<group>"; };
-                0FCEFAA91804C13E00472CE4 /* FTLSaveRestore.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLSaveRestore.cpp; path = ftl/FTLSaveRestore.cpp; sourceTree = "<group>"; };
-                0FCEFAAA1804C13E00472CE4 /* FTLSaveRestore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLSaveRestore.h; path = ftl/FTLSaveRestore.h; sourceTree = "<group>"; };
                 0FCEFADD180738C000472CE4 /* FTLLocation.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLLocation.cpp; path = ftl/FTLLocation.cpp; sourceTree = "<group>"; };
                 0FCEFADE180738C000472CE4 /* FTLLocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLLocation.h; path = ftl/FTLLocation.h; sourceTree = "<group>"; };
@@ -1892 +1893 @@
                 2600B5A5152BAAA70091EE5F /* JSStringJoiner.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSStringJoiner.h; sourceTree = "<group>"; };
                 2A6F462517E959CE00C45C98 /* HeapOperation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapOperation.h; sourceTree = "<group>"; };
+                2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DeferGC.cpp; sourceTree = "<group>"; };
                 2AD8932917E3868F00668276 /* HeapIterationScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapIterationScope.h; sourceTree = "<group>"; };
                 371D842C17C98B6E00ECF994 /* libz.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libz.dylib; path = usr/lib/libz.dylib; sourceTree = SDKROOT; };
@@ -2917 +2919 @@
                                 C218D13F1655CFD50062BB81 /* CopyWorkList.h */,
                                 0F136D4B174AD69B0075B354 /* DeferGC.h */,
+                                2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */,
                                 BCBE2CAD14E985AA000593AD /* GCAssertions.h */,
                                 0F2B66A817B6B53D00A7AE3F /* GCIncomingRefCounted.h */,
@@ -5481 +5484 @@
                                 A7386555118697B400540279 /* ThunkGenerators.cpp in Sources */,
                                 0F2B670717B6B5AB00A7AE3F /* TypedArrayController.cpp in Sources */,
+                                2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */,
                                 0F2B670A17B6B5AB00A7AE3F /* TypedArrayType.cpp in Sources */,
                                 0FF4274A158EBE91004CB9FF /* udis86.c in Sources */,

trunk/Source/JavaScriptCore/heap/DeferGC.h

@@ -29 +29 @@
 #include "Heap.h"
 #include <wtf/Noncopyable.h>
+#include <wtf/ThreadSpecific.h>
 
 namespace JSC {
@@ -68 +69 @@
 };
 
+#ifndef NDEBUG
+class DisallowGC {
+    WTF_MAKE_NONCOPYABLE(DisallowGC);
+public:
+    DisallowGC()
+    {
+        WTF::threadSpecificSet(s_isGCDisallowedOnCurrentThread, reinterpret_cast<void*>(true));
+    }
+
+    ~DisallowGC()
+    {
+        WTF::threadSpecificSet(s_isGCDisallowedOnCurrentThread, reinterpret_cast<void*>(false));
+    }
+
+    static bool isGCDisallowedOnCurrentThread()
+    {
+        return !!WTF::threadSpecificGet(s_isGCDisallowedOnCurrentThread);
+    }
+    static void initialize()
+    {
+        WTF::threadSpecificKeyCreate(&s_isGCDisallowedOnCurrentThread, 0);
+    }
+
+private:
+    JS_EXPORT_PRIVATE static WTF::ThreadSpecificKey s_isGCDisallowedOnCurrentThread;
+};
+#endif // NDEBUG
+
 } // namespace JSC
 

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -126 +126 @@
 NEVER_INLINE static void tryCacheGetByID(CallFrame* callFrame, CodeBlock* codeBlock, ReturnAddressPtr returnAddress, JSValue baseValue, const Identifier& propertyName, const PropertySlot& slot, StructureStubInfo* stubInfo)
 {
-    ConcurrentJITLocker locker(codeBlock->m_lock);
+    GCSafeConcurrentJITLocker locker(codeBlock->m_lock, callFrame->vm().heap);
     
     // FIXME: Write a test that proves we need to check for recursion here just
@@ -556 +556 @@
     }
 
-    ConcurrentJITLocker locker(codeBlock->m_lock);
+    GCSafeConcurrentJITLocker locker(codeBlock->m_lock, callFrame->vm().heap);
     
     Structure* structure = baseValue.asCell()->structure();

trunk/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp

@@ -597 +597 @@
             
             if (slot.type() == PutPropertySlot::NewProperty) {
-                ConcurrentJITLocker locker(codeBlock->m_lock);
+                GCSafeConcurrentJITLocker locker(codeBlock->m_lock, vm.heap);
             
                 if (!structure->isDictionary() && structure->previousID()->outOfLineCapacity() == structure->outOfLineCapacity()) {

trunk/Source/JavaScriptCore/runtime/ConcurrentJITLock.h

@@ -27 +27 @@
 #define ConcurrentJITLock_h
 
+#include "DeferGC.h"
 #include <wtf/ByteSpinLock.h>
 #include <wtf/NoLock.h>
@@ -34 +35 @@
 #if ENABLE(CONCURRENT_JIT)
 typedef ByteSpinLock ConcurrentJITLock;
-typedef ByteSpinLocker ConcurrentJITLocker;
+typedef ByteSpinLocker ConcurrentJITLockerImpl;
 #else
 typedef NoLock ConcurrentJITLock;
-typedef NoLockLocker ConcurrentJITLocker;
+typedef NoLockLocker ConcurrentJITLockerImpl;
 #endif
+
+class ConcurrentJITLockerBase {
+    WTF_MAKE_NONCOPYABLE(ConcurrentJITLockerBase);
+public:
+    explicit ConcurrentJITLockerBase(ConcurrentJITLock& lockable)
+        : m_locker(&lockable)
+    {
+    }
+    explicit ConcurrentJITLockerBase(ConcurrentJITLock* lockable)
+        : m_locker(lockable)
+    {
+    }
+
+    ~ConcurrentJITLockerBase()
+    {
+    }
+    
+    void unlockEarly()
+    {
+        m_locker.unlockEarly();
+    }
+
+private:
+    ConcurrentJITLockerImpl m_locker;
+};
+
+class GCSafeConcurrentJITLocker : public ConcurrentJITLockerBase {
+public:
+    GCSafeConcurrentJITLocker(ConcurrentJITLock& lockable, Heap& heap)
+        : ConcurrentJITLockerBase(lockable)
+        , m_deferGC(heap)
+    {
+    }
+
+    GCSafeConcurrentJITLocker(ConcurrentJITLock* lockable, Heap& heap)
+        : ConcurrentJITLockerBase(lockable)
+        , m_deferGC(heap)
+    {
+    }
+
+private:
+#if ENABLE(CONCURRENT_JIT)
+    DeferGC m_deferGC;
+#else
+    struct NoDefer {
+        NoDefer(Heap& heap) : m_heap(heap) { }
+        Heap& m_heap;
+    };
+    NoDefer m_deferGC;
+#endif
+};
+
+class ConcurrentJITLocker : public ConcurrentJITLockerBase {
+public:
+    ConcurrentJITLocker(ConcurrentJITLock& lockable)
+        : ConcurrentJITLockerBase(lockable)
+    {
+    }
+
+    ConcurrentJITLocker(ConcurrentJITLock* lockable)
+        : ConcurrentJITLockerBase(lockable)
+    {
+    }
+
+#if ENABLE(CONCURRENT_JIT) && !defined(NDEBUG)
+private:
+    DisallowGC m_disallowGC;
+#endif
+};
 
 } // namespace JSC
 
 #endif // ConcurrentJITLock_h
-

trunk/Source/JavaScriptCore/runtime/InitializeThreading.cpp

@@ -70 +70 @@
     LLInt::initialize();
 #endif
+#ifndef NDEBUG
+    DisallowGC::initialize();
+#endif
 }
 

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -28 +28 @@
 
 #include "CallFrame.h"
+#include "DeferGC.h"
 #include "Handle.h"
 #include "JSCell.h"
@@ -86 +87 @@
 void* allocateCell(Heap& heap, size_t size)
 {
+    ASSERT(!DisallowGC::isGCDisallowedOnCurrentThread());
     ASSERT(size >= sizeof(T));
 #if ENABLE(GC_VALIDATION)

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -281 +281 @@
     // property map. We don't want getConcurrently() to see the property map in a half-baked
     // state.
-    ConcurrentJITLocker locker(m_lock);
+    GCSafeConcurrentJITLocker locker(m_lock, vm.heap);
     if (!table)
         createPropertyMap(locker, vm, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
@@ -882 +882 @@
 PropertyOffset Structure::putSpecificValue(VM& vm, PropertyName propertyName, unsigned attributes, JSCell* specificValue)
 {
-    ConcurrentJITLocker locker(m_lock);
+    GCSafeConcurrentJITLocker locker(m_lock, vm.heap);
     
     ASSERT(!JSC::isValidOffset(get(vm, propertyName)));
@@ -927 +927 @@
 }
 
-void Structure::createPropertyMap(const ConcurrentJITLocker&, VM& vm, unsigned capacity)
+void Structure::createPropertyMap(const GCSafeConcurrentJITLocker&, VM& vm, unsigned capacity)
 {
     ASSERT(!propertyTable());

trunk/Source/JavaScriptCore/runtime/Structure.h

@@ -394 +394 @@
     PropertyOffset remove(PropertyName);
 
-    void createPropertyMap(const ConcurrentJITLocker&, VM&, unsigned keyCount = 0);
+    void createPropertyMap(const GCSafeConcurrentJITLocker&, VM&, unsigned keyCount = 0);
     void checkConsistency();