Skip to content
  • mhahnenberg@apple.com's avatar
    <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-*... · fd433bf9
    mhahnenberg@apple.com authored
    <https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
    
    Reviewed by Filip Pizlo.
    
    Added a new mode for DesiredWriteBarrier that allows it to track a position in a
    Vector of WriteBarriers rather than the specific address. The fact that we were
    arbitrarily storing into a Vector's backing store for constants at the end of
    compilation after the Vector could have resized was causing crashes.
    
    * bytecode/CodeBlock.h:
    (JSC::CodeBlock::constants):
    (JSC::CodeBlock::addConstantLazily):
    * dfg/DFGByteCodeParser.cpp:
    (JSC::DFG::ByteCodeParser::addConstant):
    * dfg/DFGDesiredWriteBarriers.cpp:
    (JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
    (JSC::DFG::DesiredWriteBarrier::trigger):
    (JSC::DFG::initializeLazyWriteBarrierForConstant):
    * dfg/DFGDesiredWriteBarriers.h:
    (JSC::DFG::DesiredWriteBarriers::add):
    * dfg/DFGFixupPhase.cpp:
    (JSC::DFG::FixupPhase::truncateConstantToInt32):
    * dfg/DFGGraph.h:
    (JSC::DFG::Graph::constantRegisterForConstant):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154245 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    fd433bf9