Changeset 252247 in webkit


Ignore:
Timestamp:
Nov 8, 2019 11:37:54 AM (4 years ago)
Author:
mark.lam@apple.com
Message:

Remove invalid assertion in DFG's compileNewArray().
https://bugs.webkit.org/show_bug.cgi?id=204002
<rdar://problem/56973531>

Reviewed by Robin Morisset.

The assertion is in an if clause conditional on !globalObject->isHavingABadTime().
The assertion tests the IndexingType of a structure returned by
arrayStructureForIndexingTypeDuringAllocation().

However, the structures returned by arrayStructureForIndexingTypeDuringAllocation()
may have started transitioning to their SlowPut variant because the mutator will
be imminently firing the HavingABadTime watchpoint, but haven't done so yet.
In a race, the DFG may see the SlowPut variants of the structures before
isHavingABadTime() returns true. Hence, the assertion is invalid.

Note that the FTL does not have this assertion.

This issue is already tested by stress/racy-slow-put-cloned-arguments-when-having-a-bad-time.js.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileNewArray):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r252243 r252247  
     12019-11-08  Mark Lam  <mark.lam@apple.com>
     2
     3        Remove invalid assertion in DFG's compileNewArray().
     4        https://bugs.webkit.org/show_bug.cgi?id=204002
     5        <rdar://problem/56973531>
     6
     7        Reviewed by Robin Morisset.
     8
     9        The assertion is in an if clause conditional on !globalObject->isHavingABadTime().
     10        The assertion tests the IndexingType of a structure returned by
     11        arrayStructureForIndexingTypeDuringAllocation(). 
     12
     13        However, the structures returned by arrayStructureForIndexingTypeDuringAllocation()
     14        may have started transitioning to their SlowPut variant because the mutator will
     15        be imminently firing the HavingABadTime watchpoint, but haven't done so yet.
     16        In a race, the DFG may see the SlowPut variants of the structures before
     17        isHavingABadTime() returns true.  Hence, the assertion is invalid.
     18
     19        Note that the FTL does not have this assertion.
     20
     21        This issue is already tested by stress/racy-slow-put-cloned-arguments-when-having-a-bad-time.js.
     22
     23        * dfg/DFGSpeculativeJIT.cpp:
     24        (JSC::DFG::SpeculativeJIT::compileNewArray):
     25
    1262019-11-08  Ross Kirsling  <ross.kirsling@sony.com>
    227

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r252229 r252247  
    79797979    RegisteredStructure structure = m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType()));
    79807980    if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(node->indexingType())) {
    7981         ASSERT(
    7982             hasUndecided(structure->indexingType())
    7983             || hasInt32(structure->indexingType())
    7984             || hasDouble(structure->indexingType())
    7985             || hasContiguous(structure->indexingType()));
    7986 
    79877981        unsigned numElements = node->numChildren();
    79887982        unsigned vectorLengthHint = node->vectorLengthHint();
Note: See TracChangeset for help on using the changeset viewer.