Changeset 249740 in webkit
- Timestamp:
- Sep 10, 2019 4:18:11 PM (5 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r249736 r249740 1 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> 2 3 [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData 4 https://bugs.webkit.org/show_bug.cgi?id=201664 5 <rdar://problem/52126927> 6 7 Reviewed by Tadeu Zagallo. 8 9 We are hitting the crash accessing invalid-pointer as CodeBlock::calleeSaveRegisters result. 10 This is because concurrent Baseline JIT compiler can access m_jitData without taking a lock through CodeBlock::calleeSaveRegisters. 11 Since m_jitData can be initialized in the main thread while calling CodeBlock::calleeSaveRegisters from concurrent Baseline JIT compiler thread, 12 we can see half-baked JITData structure which holds garbage pointers. 13 14 But we do not want to make CodeBlock::calleeSaveRegisters() call with CodeBlock::m_lock due to several reasons. 15 16 1. This function is very primitive one and it is called from various AssemblyHelpers functions and other code-generation functions. Some of these functions are 17 called while taking this exact same lock, so dead-lock can happen. 18 2. JITData::m_calleeSaveRegisters is filled only for DFG and FTL CodeBlock. And DFG and FTL code accesses these field after initializing properly. For Baseline JIT 19 compiler case, only thing we should do is that JITData should say m_calleeSaveRegisters is nullptr and it won't be filled for this CodeBlock. 20 21 Instead of guarding CodeBlock::calleeSaveRegisters() function with CodeBlock::m_lock, this patch inserts WTF::storeStoreFence when filling m_jitData. This ensures that 22 JITData::m_calleeSaveRegisters is initialized with nullptr when this JITData pointer is exposed to concurrent Baseline JIT compiler thread. 23 24 * bytecode/CodeBlock.cpp: 25 (JSC::CodeBlock::ensureJITDataSlow): 26 1 27 2019-09-10 Yusuke Suzuki <ysuzuki@apple.com> 2 28 -
trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp
r249706 r249740 1345 1345 { 1346 1346 ASSERT(!m_jitData); 1347 m_jitData = makeUnique<JITData>(); 1347 auto jitData = makeUnique<JITData>(); 1348 // calleeSaveRegisters() can access m_jitData without taking a lock from Baseline JIT. This is OK since JITData::m_calleeSaveRegisters is filled in DFG and FTL CodeBlocks. 1349 // But we should not see garbage pointer in that case. We ensure JITData::m_calleeSaveRegisters is initialized as nullptr before exposing it to BaselineJIT by store-store-fence. 1350 WTF::storeStoreFence(); 1351 m_jitData = WTFMove(jitData); 1348 1352 return *m_jitData; 1349 1353 }
Note: See TracChangeset
for help on using the changeset viewer.