[webkit-changes] [202288] trunk/Source/JavaScriptCore

[sbarati]

Title: [202288] trunk/Source/_javascript_Core

Revision

202288

Author

sbar...@apple.com

Date

2016-06-21 13:14:00 -0700 (Tue, 21 Jun 2016)

Log Message

CodeBlock::shrinkToFit is racy
https://bugs.webkit.org/show_bug.cgi?id=158994
<rdar://problem/26920212>

Reviewed by Filip Pizlo.

To see why this is racy, consider the following scenario:
- CodeBlock A is link()ing its baseline compile.
- CodeBlock B is inlining A, and asks A for a result profile in DFGBytecodeParser.
- The race occurs when the link() step of the baseline compile calls shrinkToFit
  on its m_resultProfiles field without grabbing a lock. This leads to a bad
  time because the DFG compile will be reading from that vector as it's getting
  changed by the baseline link() method.

This race has always existed, though the move to a concurrent baseline
JIT has made it more likely to occur. The solution is to have CodeBlock::shrinkToFit
grab its lock before shrinking the vector.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::shrinkToFit):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (202287 => 202288)

--- trunk/Source/_javascript_Core/ChangeLog	2016-06-21 19:06:59 UTC (rev 202287)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-06-21 20:14:00 UTC (rev 202288)
@@ -1,3 +1,26 @@
+2016-06-21  Saam Barati  <sbar...@apple.com>
+
+        CodeBlock::shrinkToFit is racy
+        https://bugs.webkit.org/show_bug.cgi?id=158994
+        <rdar://problem/26920212>
+
+        Reviewed by Filip Pizlo.
+
+        To see why this is racy, consider the following scenario:
+        - CodeBlock A is link()ing its baseline compile.
+        - CodeBlock B is inlining A, and asks A for a result profile in DFGBytecodeParser.
+        - The race occurs when the link() step of the baseline compile calls shrinkToFit
+          on its m_resultProfiles field without grabbing a lock. This leads to a bad
+          time because the DFG compile will be reading from that vector as it's getting
+          changed by the baseline link() method.
+
+        This race has always existed, though the move to a concurrent baseline
+        JIT has made it more likely to occur. The solution is to have CodeBlock::shrinkToFit
+        grab its lock before shrinking the vector.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::shrinkToFit):
+
 2016-06-21  David Kilzer  <ddkil...@apple.com>
 
         Migrate testair & testb3 settings from Xcode project to ToolExecutable.xcconfig

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (202287 => 202288)

--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2016-06-21 19:06:59 UTC (rev 202287)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp	2016-06-21 20:14:00 UTC (rev 202288)
@@ -3236,6 +3236,8 @@
 
 void CodeBlock::shrinkToFit(ShrinkMode shrinkMode)
 {
+    ConcurrentJITLocker locker(m_lock);
+
     m_rareCaseProfiles.shrinkToFit();
     m_resultProfiles.shrinkToFit();
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes