Changeset 197491 in webkit


Ignore:
Timestamp:
Mar 2, 2016, 9:29:16 PM (9 years ago)
Author:
commit-queue@webkit.org
Message:

[JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
https://bugs.webkit.org/show_bug.cgi?id=154947

Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-03-02
Reviewed by Filip Pizlo.

This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.

The problem was that JSCell_freeListNext and JSCell_structureID were
considered as disjoint. When reordering instructions, the scheduler
could move the write of the StructureID first to reduce dependencies.
This would erase half of JSCell_freeListNext before we get a chance
to load the value.

This patch changes the hierarchy to make sure nothing is written
until JSCell_freeListNext is processed.

All credits for this patch go to Filip.

  • ftl/FTLAbstractHeapRepository.cpp:

(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):

  • ftl/FTLAbstractHeapRepository.h:
Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r197490 r197491  
     12016-03-02  Benjamin Poulain  <bpoulain@apple.com>
     2
     3        [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
     4        https://bugs.webkit.org/show_bug.cgi?id=154947
     5
     6        Reviewed by Filip Pizlo.
     7
     8        This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
     9
     10        The problem was that JSCell_freeListNext and JSCell_structureID were
     11        considered as disjoint. When reordering instructions, the scheduler
     12        could move the write of the StructureID first to reduce dependencies.
     13        This would erase half of JSCell_freeListNext before we get a chance
     14        to load the value.
     15
     16        This patch changes the hierarchy to make sure nothing is written
     17        until JSCell_freeListNext is processed.
     18
     19        All credits for this patch go to Filip.
     20
     21        * ftl/FTLAbstractHeapRepository.cpp:
     22        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
     23        * ftl/FTLAbstractHeapRepository.h:
     24
    1252016-03-02  Benjamin Poulain  <bpoulain@apple.com>
    226

  • trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.cpp

    r197299 r197491  
    5858#undef ABSTRACT_FIELD_INITIALIZATION
    5959   
    60     , JSCell_freeListNext(JSCell_structureID)
     60    , JSCell_freeListNext(JSCell_header)
    6161   
    6262#define INDEXED_ABSTRACT_HEAP_INITIALIZATION(name, offset, size) , name(&root, #name, offset, size)
     
    7676    RELEASE_ASSERT(JSCell_indexingType.offset() + 3 == JSCell_cellState.offset());
    7777
     78    JSCell_structureID.changeParent(&JSCell_header);
     79    JSCell_usefulBytes.changeParent(&JSCell_header);
    7880    JSCell_indexingType.changeParent(&JSCell_usefulBytes);
    7981    JSCell_typeInfoType.changeParent(&JSCell_usefulBytes);

  • trunk/Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h

    r197299 r197491  
    5555    macro(JSArrayBufferView_vector, JSArrayBufferView::offsetOfVector()) \
    5656    macro(JSCell_cellState, JSCell::cellStateOffset()) \
     57    macro(JSCell_header, 0) \
    5758    macro(JSCell_indexingType, JSCell::indexingTypeOffset()) \
    5859    macro(JSCell_structureID, JSCell::structureIDOffset()) \
Note: See TracChangeset for help on using the changeset viewer.