Context Navigation

← Previous Changeset
Next Changeset →

Changeset 251812 in webkit

Timestamp:

Oct 30, 2019 3:19:33 PM (5 years ago)

Author:

Tadeu Zagallo

Message:

tryCachePutToScopeGlobal should hold the lock to update metadata.m_getPutInfo
https://bugs.webkit.org/show_bug.cgi?id=203628
<rdar://problem/56705353>

Reviewed by Yusuke Suzuki.

JSTests:

stress/property-move-from-global-object-to-global-lexical-environment.js: Added.

(foo):

Source/JavaScriptCore:

We hold the lock to update m_watchpointSet and m_operand, but at that point we have already
updated m_getPutInfo. This can lead to inconsistent state observable from the compiler thread
where the getPutInfo does not match the watchpointSet.

runtime/CommonSlowPaths.h:

(JSC::CommonSlowPaths::tryCachePutToScopeGlobal):

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/property-move-from-global-object-to-global-lexical-environment.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/CommonSlowPaths.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r251736
+                      r251812
+-10-30  Tadeu Zagallo  <tzagallo@apple.com>
+        tryCachePutToScopeGlobal should hold the lock to update metadata.m_getPutInfo
+        https://bugs.webkit.org/show_bug.cgi?id=203628
+        <rdar://problem/56705353>
+        Reviewed by Yusuke Suzuki.
+        * stress/property-move-from-global-object-to-global-lexical-environment.js: Added.
+        (foo):
 -10-29  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r251737
+                      r251812
+-10-30  Tadeu Zagallo  <tzagallo@apple.com>
+        tryCachePutToScopeGlobal should hold the lock to update metadata.m_getPutInfo
+        https://bugs.webkit.org/show_bug.cgi?id=203628
+        <rdar://problem/56705353>
+        Reviewed by Yusuke Suzuki.
+        We hold the lock to update m_watchpointSet and m_operand, but at that point we have already
+        updated m_getPutInfo. This can lead to inconsistent state observable from the compiler thread
+        where the getPutInfo does not match the watchpointSet.
+        * runtime/CommonSlowPaths.h:
+        (JSC::CommonSlowPaths::tryCachePutToScopeGlobal):
 -10-07  Jer Noble  <jer.noble@apple.com>

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h

-                      r251425
+                      r251812
             JSGlobalLexicalEnvironment* globalLexicalEnvironment = jsCast<JSGlobalLexicalEnvironment*>(scope);
             ResolveType newResolveType = needsVarInjectionChecks(resolveType) ? GlobalLexicalVarWithVarInjectionChecks : GlobalLexicalVar;
-            metadata.m_getPutInfo = GetPutInfo(metadata.m_getPutInfo.resolveMode(), newResolveType, metadata.m_getPutInfo.initializationMode());
             SymbolTableEntry entry = globalLexicalEnvironment->symbolTable()->get(ident.impl());
             ASSERT(!entry.isNull());
             ConcurrentJSLocker locker(codeBlock->m_lock);
+            metadata.m_getPutInfo = GetPutInfo(metadata.m_getPutInfo.resolveMode(), newResolveType, metadata.m_getPutInfo.initializationMode());
             metadata.m_watchpointSet = entry.watchpointSet();
             metadata.m_operand = reinterpret_cast<uintptr_t>(globalLexicalEnvironment->variableAt(entry.scopeOffset()).slot());

Note: See TracChangeset for help on using the changeset viewer.