Changeset 154245 in webkit


Ignore:
Timestamp:
Aug 17, 2013 8:08:52 PM (11 years ago)
Author:
mhahnenberg@apple.com
Message:

<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML

Reviewed by Filip Pizlo.

Added a new mode for DesiredWriteBarrier that allows it to track a position in a
Vector of WriteBarriers rather than the specific address. The fact that we were
arbitrarily storing into a Vector's backing store for constants at the end of
compilation after the Vector could have resized was causing crashes.

  • bytecode/CodeBlock.h:

(JSC::CodeBlock::constants):
(JSC::CodeBlock::addConstantLazily):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::addConstant):

  • dfg/DFGDesiredWriteBarriers.cpp:

(JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
(JSC::DFG::DesiredWriteBarrier::trigger):
(JSC::DFG::initializeLazyWriteBarrierForConstant):

  • dfg/DFGDesiredWriteBarriers.h:

(JSC::DFG::DesiredWriteBarriers::add):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::truncateConstantToInt32):

  • dfg/DFGGraph.h:

(JSC::DFG::Graph::constantRegisterForConstant):

Location:
trunk/Source/JavaScriptCore
Files:
7 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r154218 r154245  
     12013-08-17  Mark Hahnenberg  <mhahnenberg@apple.com>
     2
     3        <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
     4
     5        Reviewed by Filip Pizlo.
     6
     7        Added a new mode for DesiredWriteBarrier that allows it to track a position in a
     8        Vector of WriteBarriers rather than the specific address. The fact that we were
     9        arbitrarily storing into a Vector's backing store for constants at the end of
     10        compilation after the Vector could have resized was causing crashes.
     11
     12        * bytecode/CodeBlock.h:
     13        (JSC::CodeBlock::constants):
     14        (JSC::CodeBlock::addConstantLazily):
     15        * dfg/DFGByteCodeParser.cpp:
     16        (JSC::DFG::ByteCodeParser::addConstant):
     17        * dfg/DFGDesiredWriteBarriers.cpp:
     18        (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
     19        (JSC::DFG::DesiredWriteBarrier::trigger):
     20        (JSC::DFG::initializeLazyWriteBarrierForConstant):
     21        * dfg/DFGDesiredWriteBarriers.h:
     22        (JSC::DFG::DesiredWriteBarriers::add):
     23        * dfg/DFGFixupPhase.cpp:
     24        (JSC::DFG::FixupPhase::truncateConstantToInt32):
     25        * dfg/DFGGraph.h:
     26        (JSC::DFG::Graph::constantRegisterForConstant):
     27
    1282013-08-16  Filip Pizlo  <fpizlo@apple.com>
    229
  • trunk/Source/JavaScriptCore/bytecode/CodeBlock.h

    r154199 r154245  
    685685#endif
    686686
     687    Vector<WriteBarrier<Unknown> >& constants() { return m_constantRegisters; }
    687688    size_t numberOfConstantRegisters() const { return m_constantRegisters.size(); }
    688689    unsigned addConstant(JSValue v)
     
    694695    }
    695696
    696     WriteBarrier<Unknown>& addConstantLazily()
    697     {
     697    unsigned addConstantLazily()
     698    {
     699        unsigned result = m_constantRegisters.size();
    698700        m_constantRegisters.append(WriteBarrier<Unknown>());
    699         return m_constantRegisters.last();
     701        return result;
    700702    }
    701703
  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r154162 r154245  
    404404    void addConstant(JSValue value)
    405405    {
    406         initializeLazyWriteBarrier(
    407             m_codeBlock->addConstantLazily(),
     406        initializeLazyWriteBarrierForConstant(
     407            m_codeBlock,
    408408            m_graph.m_plan.writeBarriers,
    409409            m_codeBlock->ownerExecutable(),
  • trunk/Source/JavaScriptCore/dfg/DFGDesiredWriteBarriers.cpp

    r154162 r154245  
    2727#include "DFGDesiredWriteBarriers.h"
    2828
     29#include "CodeBlock.h"
    2930#include "JSCJSValueInlines.h"
    3031
     
    3233
    3334DesiredWriteBarrier::DesiredWriteBarrier(WriteBarrier<Unknown>* barrier, JSCell* owner)
    34     : m_barrier(barrier)
    35     , m_owner(owner)
     35    : m_owner(owner)
     36    , m_type(NormalType)
    3637{
     38    u.m_barrier = barrier;
     39}
     40
     41DesiredWriteBarrier::DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >* barriers, unsigned index, JSCell* owner)
     42    : m_owner(owner)
     43    , m_type(VectorType)
     44{
     45    u.barrier_vector.m_barriers = barriers;
     46    u.barrier_vector.m_index = index;
    3747}
    3848
    3949void DesiredWriteBarrier::trigger(VM& vm)
    4050{
    41     m_barrier->set(vm, m_owner, m_barrier->get());
     51    switch (m_type) {
     52    case NormalType: {
     53        u.m_barrier->set(vm, m_owner, u.m_barrier->get());
     54        break;
     55    }
     56
     57    case VectorType: {
     58        unsigned index = u.barrier_vector.m_index;
     59        WriteBarrier<Unknown>& barrier = u.barrier_vector.m_barriers->at(index);
     60        barrier.set(vm, m_owner, barrier.get());
     61        break;
     62    }
     63
     64    }
    4265}
    4366
     
    6285}
    6386
     87void initializeLazyWriteBarrierForConstant(CodeBlock* codeBlock, DesiredWriteBarriers& barriers, JSCell* owner, JSValue value)
     88{
     89    unsigned constantIndex = codeBlock->addConstantLazily();
     90    WriteBarrier<Unknown>& barrier = codeBlock->constants()[constantIndex];
     91    barrier = WriteBarrier<Unknown>(
     92        barriers.add(codeBlock->constants(), constantIndex, owner), value);
     93}
     94
    6495} } // namespace JSC::DFG
  • trunk/Source/JavaScriptCore/dfg/DFGDesiredWriteBarriers.h

    r154162 r154245  
    3939public:
    4040    DesiredWriteBarrier(WriteBarrier<Unknown>*, JSCell* owner);
     41    DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >*, unsigned index, JSCell* owner);
    4142
    4243    void trigger(VM&);
    4344
    4445private:
    45     WriteBarrier<Unknown>* m_barrier;
    4646    JSCell* m_owner;
     47    enum WriteBarrierType { NormalType, VectorType };
     48    WriteBarrierType m_type;
     49    union {
     50        WriteBarrier<Unknown>* m_barrier;
     51        struct {
     52            Vector<WriteBarrier<Unknown> >* m_barriers;
     53            unsigned m_index;
     54        } barrier_vector;
     55    } u;
    4756};
    4857
     
    5665    {
    5766        return addImpl(reinterpret_cast<WriteBarrier<Unknown>*>(&barrier), owner);
     67    }
     68
     69    DesiredWriteBarrier& add(Vector<WriteBarrier<Unknown> >& barriers, unsigned index, JSCell* owner)
     70    {
     71        m_barriers.append(DesiredWriteBarrier(&barriers, index, owner));
     72        return m_barriers.last();
    5873    }
    5974
     
    7287}
    7388
     89void initializeLazyWriteBarrierForConstant(CodeBlock*, DesiredWriteBarriers&, JSCell* owner, JSValue);
     90
    7491} } // namespace JSC::DFG
    7592
  • trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

    r154218 r154245  
    13731373        unsigned constantRegister;
    13741374        if (!codeBlock()->findConstant(value, constantRegister)) {
    1375             initializeLazyWriteBarrier(
    1376                 codeBlock()->addConstantLazily(),
     1375            initializeLazyWriteBarrierForConstant(
     1376                codeBlock(),
    13771377                m_graph.m_plan.writeBarriers,
    13781378                codeBlock()->ownerExecutable(),
  • trunk/Source/JavaScriptCore/dfg/DFGGraph.h

    r154218 r154245  
    156156        unsigned constantRegister;
    157157        if (!m_codeBlock->findConstant(value, constantRegister)) {
    158             initializeLazyWriteBarrier(
    159                 m_codeBlock->addConstantLazily(),
     158            initializeLazyWriteBarrierForConstant(
     159                m_codeBlock,
    160160                m_plan.writeBarriers,
    161161                m_codeBlock->ownerExecutable(),
Note: See TracChangeset for help on using the changeset viewer.