Title: [246563] trunk/Source/_javascript_Core
- Revision
- 246563
- Author
- tzaga...@apple.com
- Date
- 2019-06-18 13:53:01 -0700 (Tue, 18 Jun 2019)
Log Message
Add missing mutator fence in compileNewFunction
https://bugs.webkit.org/show_bug.cgi?id=198849
<rdar://problem/51733890>
Reviewed by Saam Barati.
Follow-up after r246553. Saam pointed out that we still need a mutator
fence before allocating the FunctionRareData, since the allocation
might trigger a slow path call.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (246562 => 246563)
--- trunk/Source/_javascript_Core/ChangeLog 2019-06-18 20:43:05 UTC (rev 246562)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-06-18 20:53:01 UTC (rev 246563)
@@ -1,5 +1,22 @@
2019-06-18 Tadeu Zagallo <tzaga...@apple.com>
+ Add missing mutator fence in compileNewFunction
+ https://bugs.webkit.org/show_bug.cgi?id=198849
+ <rdar://problem/51733890>
+
+ Reviewed by Saam Barati.
+
+ Follow-up after r246553. Saam pointed out that we still need a mutator
+ fence before allocating the FunctionRareData, since the allocation
+ might trigger a slow path call.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
+
+2019-06-18 Tadeu Zagallo <tzaga...@apple.com>
+
DFG code should not reify the names of builtin functions with private names
https://bugs.webkit.org/show_bug.cgi?id=198849
<rdar://problem/51733890>
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (246562 => 246563)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-06-18 20:43:05 UTC (rev 246562)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-06-18 20:53:01 UTC (rev 246563)
@@ -7184,6 +7184,7 @@
if (executable->isAnonymousBuiltinFunction()) {
VM& vm = *m_jit.vm();
+ m_jit.mutatorFence(vm);
GPRTemporary allocator(this);
Allocator allocatorValue = allocatorForNonVirtualConcurrently<FunctionRareData>(vm, sizeof(FunctionRareData), AllocatorForMode::AllocatorIfExists);
emitAllocateJSCell(scratch1GPR, JITAllocator::constant(allocatorValue), allocator.gpr(), TrustedImmPtr(m_jit.graph().registerStructure(vm.functionRareDataStructure.get())), scratch2GPR, slowPath);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (246562 => 246563)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-06-18 20:43:05 UTC (rev 246562)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-06-18 20:53:01 UTC (rev 246563)
@@ -5549,6 +5549,7 @@
VM& vm = this->vm();
if (executable->isAnonymousBuiltinFunction()) {
+ mutatorFence();
Allocator allocator = allocatorForNonVirtualConcurrently<FunctionRareData>(vm, sizeof(FunctionRareData), AllocatorForMode::AllocatorIfExists);
LValue rareData = allocateCell(m_out.constIntPtr(allocator.localAllocator()), vm.functionRareDataStructure.get(), slowPath);
m_out.storePtr(m_out.intPtrZero, rareData, m_heaps.FunctionRareData_allocator);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
