[webkit-changes] [168101] trunk/Source/JavaScriptCore

Thu, 01 May 2014 08:48:27 -0700

Title: [168101] trunk/Source/_javascript_Core
Revision
168101
Author
fpi...@apple.com
Date
2014-05-01 08:48:05 -0700 (Thu, 01 May 2014)

Log Message

Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
https://bugs.webkit.org/show_bug.cgi?id=132427

Reviewed by Mark Hahnenberg.

* bytecode/CallLinkStatus.cpp:
(JSC::CallLinkStatus::computeFor):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (168100 => 168101)


--- trunk/Source/_javascript_Core/ChangeLog	2014-05-01 15:46:42 UTC (rev 168100)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-05-01 15:48:05 UTC (rev 168101)
@@ -1,3 +1,13 @@
+2014-05-01  Filip Pizlo  <fpi...@apple.com>
+
+        Fix trivial debug-only race-that-crashes in CallLinkStatus and explain why the remaining races are totally awesome
+        https://bugs.webkit.org/show_bug.cgi?id=132427
+
+        Reviewed by Mark Hahnenberg.
+
+        * bytecode/CallLinkStatus.cpp:
+        (JSC::CallLinkStatus::computeFor):
+
 2014-04-30  Simon Fraser  <simon.fra...@apple.com>
 
         Remove ENABLE_PLUGIN_PROXY_FOR_VIDEO

Modified: trunk/Source/_javascript_Core/bytecode/CallLinkStatus.cpp (168100 => 168101)


--- trunk/Source/_javascript_Core/bytecode/CallLinkStatus.cpp	2014-05-01 15:46:42 UTC (rev 168100)
+++ trunk/Source/_javascript_Core/bytecode/CallLinkStatus.cpp	2014-05-01 15:48:05 UTC (rev 168101)
@@ -149,11 +149,24 @@
 #if ENABLE(JIT)
 CallLinkStatus CallLinkStatus::computeFor(const ConcurrentJITLocker&, CallLinkInfo& callLinkInfo)
 {
+    // Note that despite requiring that the locker is held, this code is racy with respect
+    // to the CallLinkInfo: it may get cleared while this code runs! This is because
+    // CallLinkInfo::unlink() may be called from a different CodeBlock than the one that owns
+    // the CallLinkInfo and currently we save space by not having CallLinkInfos know who owns
+    // them. So, there is no way for either the caller of CallLinkInfo::unlock() or unlock()
+    // itself to figure out which lock to lock.
+    //
+    // Fortunately, that doesn't matter. The only things we ask of CallLinkInfo - the slow
+    // path count, the stub, and the target - can all be asked racily. Stubs and targets can
+    // only be deleted at next GC, so if we load a non-null one, then it must contain data
+    // that is still marginally valid (i.e. the pointers ain't stale). This kind of raciness
+    // is probably OK for now.
+    
     if (callLinkInfo.slowPathCount >= Options::couldTakeSlowCaseMinimumCount())
         return takesSlowPath();
     
-    if (callLinkInfo.stub)
-        return CallLinkStatus(callLinkInfo.stub->executable(), callLinkInfo.stub->structure());
+    if (ClosureCallStubRoutine* stub = callLinkInfo.stub.get())
+        return CallLinkStatus(stub->executable(), stub->structure());
     
     JSFunction* target = callLinkInfo.lastSeenCallee.get();
     if (!target)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to