Changeset 252247 in webkit
- Timestamp:
- Nov 8, 2019 11:37:54 AM (4 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r252243 r252247 1 2019-11-08 Mark Lam <mark.lam@apple.com> 2 3 Remove invalid assertion in DFG's compileNewArray(). 4 https://bugs.webkit.org/show_bug.cgi?id=204002 5 <rdar://problem/56973531> 6 7 Reviewed by Robin Morisset. 8 9 The assertion is in an if clause conditional on !globalObject->isHavingABadTime(). 10 The assertion tests the IndexingType of a structure returned by 11 arrayStructureForIndexingTypeDuringAllocation(). 12 13 However, the structures returned by arrayStructureForIndexingTypeDuringAllocation() 14 may have started transitioning to their SlowPut variant because the mutator will 15 be imminently firing the HavingABadTime watchpoint, but haven't done so yet. 16 In a race, the DFG may see the SlowPut variants of the structures before 17 isHavingABadTime() returns true. Hence, the assertion is invalid. 18 19 Note that the FTL does not have this assertion. 20 21 This issue is already tested by stress/racy-slow-put-cloned-arguments-when-having-a-bad-time.js. 22 23 * dfg/DFGSpeculativeJIT.cpp: 24 (JSC::DFG::SpeculativeJIT::compileNewArray): 25 1 26 2019-11-08 Ross Kirsling <ross.kirsling@sony.com> 2 27 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r252229 r252247 7979 7979 RegisteredStructure structure = m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())); 7980 7980 if (!globalObject->isHavingABadTime() && !hasAnyArrayStorage(node->indexingType())) { 7981 ASSERT(7982 hasUndecided(structure->indexingType())7983 || hasInt32(structure->indexingType())7984 || hasDouble(structure->indexingType())7985 || hasContiguous(structure->indexingType()));7986 7987 7981 unsigned numElements = node->numChildren(); 7988 7982 unsigned vectorLengthHint = node->vectorLengthHint();
Note: See TracChangeset
for help on using the changeset viewer.