Changeset 154245 in webkit
- Timestamp:
- Aug 17, 2013 8:08:52 PM (11 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r154218 r154245 1 2013-08-17 Mark Hahnenberg <mhahnenberg@apple.com> 2 3 <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML 4 5 Reviewed by Filip Pizlo. 6 7 Added a new mode for DesiredWriteBarrier that allows it to track a position in a 8 Vector of WriteBarriers rather than the specific address. The fact that we were 9 arbitrarily storing into a Vector's backing store for constants at the end of 10 compilation after the Vector could have resized was causing crashes. 11 12 * bytecode/CodeBlock.h: 13 (JSC::CodeBlock::constants): 14 (JSC::CodeBlock::addConstantLazily): 15 * dfg/DFGByteCodeParser.cpp: 16 (JSC::DFG::ByteCodeParser::addConstant): 17 * dfg/DFGDesiredWriteBarriers.cpp: 18 (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier): 19 (JSC::DFG::DesiredWriteBarrier::trigger): 20 (JSC::DFG::initializeLazyWriteBarrierForConstant): 21 * dfg/DFGDesiredWriteBarriers.h: 22 (JSC::DFG::DesiredWriteBarriers::add): 23 * dfg/DFGFixupPhase.cpp: 24 (JSC::DFG::FixupPhase::truncateConstantToInt32): 25 * dfg/DFGGraph.h: 26 (JSC::DFG::Graph::constantRegisterForConstant): 27 1 28 2013-08-16 Filip Pizlo <fpizlo@apple.com> 2 29 -
trunk/Source/JavaScriptCore/bytecode/CodeBlock.h
r154199 r154245 685 685 #endif 686 686 687 Vector<WriteBarrier<Unknown> >& constants() { return m_constantRegisters; } 687 688 size_t numberOfConstantRegisters() const { return m_constantRegisters.size(); } 688 689 unsigned addConstant(JSValue v) … … 694 695 } 695 696 696 WriteBarrier<Unknown>& addConstantLazily() 697 { 697 unsigned addConstantLazily() 698 { 699 unsigned result = m_constantRegisters.size(); 698 700 m_constantRegisters.append(WriteBarrier<Unknown>()); 699 return m_constantRegisters.last();701 return result; 700 702 } 701 703 -
trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
r154162 r154245 404 404 void addConstant(JSValue value) 405 405 { 406 initializeLazyWriteBarrier (407 m_codeBlock ->addConstantLazily(),406 initializeLazyWriteBarrierForConstant( 407 m_codeBlock, 408 408 m_graph.m_plan.writeBarriers, 409 409 m_codeBlock->ownerExecutable(), -
trunk/Source/JavaScriptCore/dfg/DFGDesiredWriteBarriers.cpp
r154162 r154245 27 27 #include "DFGDesiredWriteBarriers.h" 28 28 29 #include "CodeBlock.h" 29 30 #include "JSCJSValueInlines.h" 30 31 … … 32 33 33 34 DesiredWriteBarrier::DesiredWriteBarrier(WriteBarrier<Unknown>* barrier, JSCell* owner) 34 : m_ barrier(barrier)35 , m_ owner(owner)35 : m_owner(owner) 36 , m_type(NormalType) 36 37 { 38 u.m_barrier = barrier; 39 } 40 41 DesiredWriteBarrier::DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >* barriers, unsigned index, JSCell* owner) 42 : m_owner(owner) 43 , m_type(VectorType) 44 { 45 u.barrier_vector.m_barriers = barriers; 46 u.barrier_vector.m_index = index; 37 47 } 38 48 39 49 void DesiredWriteBarrier::trigger(VM& vm) 40 50 { 41 m_barrier->set(vm, m_owner, m_barrier->get()); 51 switch (m_type) { 52 case NormalType: { 53 u.m_barrier->set(vm, m_owner, u.m_barrier->get()); 54 break; 55 } 56 57 case VectorType: { 58 unsigned index = u.barrier_vector.m_index; 59 WriteBarrier<Unknown>& barrier = u.barrier_vector.m_barriers->at(index); 60 barrier.set(vm, m_owner, barrier.get()); 61 break; 62 } 63 64 } 42 65 } 43 66 … … 62 85 } 63 86 87 void initializeLazyWriteBarrierForConstant(CodeBlock* codeBlock, DesiredWriteBarriers& barriers, JSCell* owner, JSValue value) 88 { 89 unsigned constantIndex = codeBlock->addConstantLazily(); 90 WriteBarrier<Unknown>& barrier = codeBlock->constants()[constantIndex]; 91 barrier = WriteBarrier<Unknown>( 92 barriers.add(codeBlock->constants(), constantIndex, owner), value); 93 } 94 64 95 } } // namespace JSC::DFG -
trunk/Source/JavaScriptCore/dfg/DFGDesiredWriteBarriers.h
r154162 r154245 39 39 public: 40 40 DesiredWriteBarrier(WriteBarrier<Unknown>*, JSCell* owner); 41 DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >*, unsigned index, JSCell* owner); 41 42 42 43 void trigger(VM&); 43 44 44 45 private: 45 WriteBarrier<Unknown>* m_barrier;46 46 JSCell* m_owner; 47 enum WriteBarrierType { NormalType, VectorType }; 48 WriteBarrierType m_type; 49 union { 50 WriteBarrier<Unknown>* m_barrier; 51 struct { 52 Vector<WriteBarrier<Unknown> >* m_barriers; 53 unsigned m_index; 54 } barrier_vector; 55 } u; 47 56 }; 48 57 … … 56 65 { 57 66 return addImpl(reinterpret_cast<WriteBarrier<Unknown>*>(&barrier), owner); 67 } 68 69 DesiredWriteBarrier& add(Vector<WriteBarrier<Unknown> >& barriers, unsigned index, JSCell* owner) 70 { 71 m_barriers.append(DesiredWriteBarrier(&barriers, index, owner)); 72 return m_barriers.last(); 58 73 } 59 74 … … 72 87 } 73 88 89 void initializeLazyWriteBarrierForConstant(CodeBlock*, DesiredWriteBarriers&, JSCell* owner, JSValue); 90 74 91 } } // namespace JSC::DFG 75 92 -
trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
r154218 r154245 1373 1373 unsigned constantRegister; 1374 1374 if (!codeBlock()->findConstant(value, constantRegister)) { 1375 initializeLazyWriteBarrier (1376 codeBlock() ->addConstantLazily(),1375 initializeLazyWriteBarrierForConstant( 1376 codeBlock(), 1377 1377 m_graph.m_plan.writeBarriers, 1378 1378 codeBlock()->ownerExecutable(), -
trunk/Source/JavaScriptCore/dfg/DFGGraph.h
r154218 r154245 156 156 unsigned constantRegister; 157 157 if (!m_codeBlock->findConstant(value, constantRegister)) { 158 initializeLazyWriteBarrier (159 m_codeBlock ->addConstantLazily(),158 initializeLazyWriteBarrierForConstant( 159 m_codeBlock, 160 160 m_plan.writeBarriers, 161 161 m_codeBlock->ownerExecutable(),
Note: See TracChangeset
for help on using the changeset viewer.