Changeset 249458 in webkit


Ignore:
Timestamp:
Sep 3, 2019 11:13:46 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
https://bugs.webkit.org/show_bug.cgi?id=201309
<rdar://problem/54832121>

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.

Source/JavaScriptCore:

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • runtime/JSArrayBufferView.h:
  • runtime/JSArrayBufferViewInlines.h:

(JSC::JSArrayBufferView::possiblySharedBufferImpl):
(JSC::JSArrayBufferView::possiblySharedBuffer):
(JSC::JSArrayBufferView::byteOffsetImpl):
(JSC::JSArrayBufferView::byteOffset):
(JSC::JSArrayBufferView::byteOffsetConcurrently):

Location:
trunk
Files:
1 added
5 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r249337 r249458  
     12019-09-03  Mark Lam  <mark.lam@apple.com>
     2
     3        Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
     4        https://bugs.webkit.org/show_bug.cgi?id=201309
     5        <rdar://problem/54832121>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        * stress/JSArrayBufferView-byteOffset-is-racy-from-compiler-thread.js: Added.
     10
    1112019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
    212
  • trunk/Source/JavaScriptCore/ChangeLog

    r249450 r249458  
     12019-09-03  Mark Lam  <mark.lam@apple.com>
     2
     3        Assertions in JSArrayBufferView::byteOffset() are only valid for the mutator thread.
     4        https://bugs.webkit.org/show_bug.cgi?id=201309
     5        <rdar://problem/54832121>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        * dfg/DFGAbstractInterpreterInlines.h:
     10        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     11        * runtime/JSArrayBufferView.h:
     12        * runtime/JSArrayBufferViewInlines.h:
     13        (JSC::JSArrayBufferView::possiblySharedBufferImpl):
     14        (JSC::JSArrayBufferView::possiblySharedBuffer):
     15        (JSC::JSArrayBufferView::byteOffsetImpl):
     16        (JSC::JSArrayBufferView::byteOffset):
     17        (JSC::JSArrayBufferView::byteOffsetConcurrently):
     18
    1192019-09-03  Devin Rousso  <drousso@apple.com>
    220
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r248846 r249458  
    32583258        JSArrayBufferView* view = m_graph.tryGetFoldableView(forNode(node->child1()).m_value);
    32593259        if (view) {
    3260             setConstant(node, jsNumber(view->byteOffset()));
    3261             break;
     3260            Optional<unsigned> byteOffset = view->byteOffsetConcurrently();
     3261            if (byteOffset) {
     3262                setConstant(node, jsNumber(*byteOffset));
     3263                break;
     3264            }
    32623265        }
    32633266        setNonCellTypeForNode(node, SpecInt32Only);
  • trunk/Source/JavaScriptCore/runtime/JSArrayBufferView.h

    r246368 r249458  
    163163    bool isShared();
    164164    JS_EXPORT_PRIVATE ArrayBuffer* unsharedBuffer();
    165     ArrayBuffer* possiblySharedBuffer();
     165    inline ArrayBuffer* possiblySharedBuffer();
    166166    JSArrayBuffer* unsharedJSBuffer(ExecState* exec);
    167167    JSArrayBuffer* possiblySharedJSBuffer(ExecState* exec);
     
    174174    void* vector() const { return m_vector.getMayBeNull(length()); }
    175175   
    176     unsigned byteOffset();
     176    inline unsigned byteOffset();
     177    inline Optional<unsigned> byteOffsetConcurrently();
     178
    177179    unsigned length() const { return m_length; }
    178180
     
    186188
    187189private:
     190    enum Requester { Mutator, ConcurrentThread };
     191    template<Requester, typename ResultType> ResultType byteOffsetImpl();
     192    template<Requester> ArrayBuffer* possiblySharedBufferImpl();
     193
    188194    JS_EXPORT_PRIVATE ArrayBuffer* slowDownAndWasteMemory();
    189195    static void finalize(JSCell*);
  • trunk/Source/JavaScriptCore/runtime/JSArrayBufferViewInlines.h

    r233721 r249458  
    4444}
    4545
    46 inline ArrayBuffer* JSArrayBufferView::possiblySharedBuffer()
     46template<JSArrayBufferView::Requester requester>
     47inline ArrayBuffer* JSArrayBufferView::possiblySharedBufferImpl()
    4748{
     49    if (requester == ConcurrentThread)
     50        ASSERT(m_mode != FastTypedArray && m_mode != OversizeTypedArray);
     51
    4852    switch (m_mode) {
    4953    case WastefulTypedArray:
     
    5761    ASSERT_NOT_REACHED();
    5862    return nullptr;
     63}
     64
     65inline ArrayBuffer* JSArrayBufferView::possiblySharedBuffer()
     66{
     67    return possiblySharedBufferImpl<Mutator>();
    5968}
    6069
     
    7281}
    7382
    74 inline unsigned JSArrayBufferView::byteOffset()
     83template<JSArrayBufferView::Requester requester, typename ResultType>
     84inline ResultType JSArrayBufferView::byteOffsetImpl()
    7585{
    7686    if (!hasArrayBuffer())
    7787        return 0;
    78    
    79     ArrayBuffer* buffer = possiblySharedBuffer();
    80     ASSERT(!vector() == !buffer->data());
    81    
     88
     89    if (requester == ConcurrentThread)
     90        WTF::loadLoadFence();
     91
     92    ArrayBuffer* buffer = possiblySharedBufferImpl<requester>();
     93    if (requester == Mutator) {
     94        ASSERT(!isCompilationThread());
     95        ASSERT(!vector() == !buffer->data());
     96    }
     97
    8298    ptrdiff_t delta =
    8399        bitwise_cast<uint8_t*>(vector()) - static_cast<uint8_t*>(buffer->data());
    84    
     100
    85101    unsigned result = static_cast<unsigned>(delta);
    86     ASSERT(static_cast<ptrdiff_t>(result) == delta);
     102    if (requester == Mutator)
     103        ASSERT(static_cast<ptrdiff_t>(result) == delta);
     104    else {
     105        if (static_cast<ptrdiff_t>(result) != delta)
     106            return { };
     107    }
     108
    87109    return result;
     110}
     111
     112inline unsigned JSArrayBufferView::byteOffset()
     113{
     114    return byteOffsetImpl<Mutator, unsigned>();
     115}
     116
     117inline Optional<unsigned> JSArrayBufferView::byteOffsetConcurrently()
     118{
     119    return byteOffsetImpl<ConcurrentThread, Optional<unsigned>>();
    88120}
    89121
Note: See TracChangeset for help on using the changeset viewer.