Commit fd433bf9 authored by mhahnenberg@apple.com's avatar mhahnenberg@apple.com

<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-*...

<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML

Reviewed by Filip Pizlo.

Added a new mode for DesiredWriteBarrier that allows it to track a position in a
Vector of WriteBarriers rather than the specific address. The fact that we were
arbitrarily storing into a Vector's backing store for constants at the end of
compilation after the Vector could have resized was causing crashes.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::constants):
(JSC::CodeBlock::addConstantLazily):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addConstant):
* dfg/DFGDesiredWriteBarriers.cpp:
(JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
(JSC::DFG::DesiredWriteBarrier::trigger):
(JSC::DFG::initializeLazyWriteBarrierForConstant):
* dfg/DFGDesiredWriteBarriers.h:
(JSC::DFG::DesiredWriteBarriers::add):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::truncateConstantToInt32):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::constantRegisterForConstant):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154245 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent ef87a9e1
2013-08-17 Mark Hahnenberg <mhahnenberg@apple.com>
<https://webkit.org/b/119919> Concurrent JIT crashes in various fast/js/dfg-* tests while the main thread is setting innerHTML
Reviewed by Filip Pizlo.
Added a new mode for DesiredWriteBarrier that allows it to track a position in a
Vector of WriteBarriers rather than the specific address. The fact that we were
arbitrarily storing into a Vector's backing store for constants at the end of
compilation after the Vector could have resized was causing crashes.
* bytecode/CodeBlock.h:
(JSC::CodeBlock::constants):
(JSC::CodeBlock::addConstantLazily):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addConstant):
* dfg/DFGDesiredWriteBarriers.cpp:
(JSC::DFG::DesiredWriteBarrier::DesiredWriteBarrier):
(JSC::DFG::DesiredWriteBarrier::trigger):
(JSC::DFG::initializeLazyWriteBarrierForConstant):
* dfg/DFGDesiredWriteBarriers.h:
(JSC::DFG::DesiredWriteBarriers::add):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::truncateConstantToInt32):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::constantRegisterForConstant):
2013-08-16 Filip Pizlo <fpizlo@apple.com>
DFG should optimize typedArray.byteLength
......
......@@ -684,6 +684,7 @@ public:
const Identifier& identifier(int index) const { return m_unlinkedCode->identifier(index); }
#endif
Vector<WriteBarrier<Unknown> >& constants() { return m_constantRegisters; }
size_t numberOfConstantRegisters() const { return m_constantRegisters.size(); }
unsigned addConstant(JSValue v)
{
......@@ -693,10 +694,11 @@ public:
return result;
}
WriteBarrier<Unknown>& addConstantLazily()
unsigned addConstantLazily()
{
unsigned result = m_constantRegisters.size();
m_constantRegisters.append(WriteBarrier<Unknown>());
return m_constantRegisters.last();
return result;
}
bool findConstant(JSValue, unsigned& result);
......
......@@ -403,8 +403,8 @@ private:
void addConstant(JSValue value)
{
initializeLazyWriteBarrier(
m_codeBlock->addConstantLazily(),
initializeLazyWriteBarrierForConstant(
m_codeBlock,
m_graph.m_plan.writeBarriers,
m_codeBlock->ownerExecutable(),
value);
......
......@@ -26,19 +26,42 @@
#include "config.h"
#include "DFGDesiredWriteBarriers.h"
#include "CodeBlock.h"
#include "JSCJSValueInlines.h"
namespace JSC { namespace DFG {
DesiredWriteBarrier::DesiredWriteBarrier(WriteBarrier<Unknown>* barrier, JSCell* owner)
: m_barrier(barrier)
, m_owner(owner)
: m_owner(owner)
, m_type(NormalType)
{
u.m_barrier = barrier;
}
DesiredWriteBarrier::DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >* barriers, unsigned index, JSCell* owner)
: m_owner(owner)
, m_type(VectorType)
{
u.barrier_vector.m_barriers = barriers;
u.barrier_vector.m_index = index;
}
void DesiredWriteBarrier::trigger(VM& vm)
{
m_barrier->set(vm, m_owner, m_barrier->get());
switch (m_type) {
case NormalType: {
u.m_barrier->set(vm, m_owner, u.m_barrier->get());
break;
}
case VectorType: {
unsigned index = u.barrier_vector.m_index;
WriteBarrier<Unknown>& barrier = u.barrier_vector.m_barriers->at(index);
barrier.set(vm, m_owner, barrier.get());
break;
}
}
}
DesiredWriteBarriers::DesiredWriteBarriers()
......@@ -61,4 +84,12 @@ void DesiredWriteBarriers::trigger(VM& vm)
m_barriers[i].trigger(vm);
}
void initializeLazyWriteBarrierForConstant(CodeBlock* codeBlock, DesiredWriteBarriers& barriers, JSCell* owner, JSValue value)
{
unsigned constantIndex = codeBlock->addConstantLazily();
WriteBarrier<Unknown>& barrier = codeBlock->constants()[constantIndex];
barrier = WriteBarrier<Unknown>(
barriers.add(codeBlock->constants(), constantIndex, owner), value);
}
} } // namespace JSC::DFG
......@@ -38,12 +38,21 @@ namespace DFG {
class DesiredWriteBarrier {
public:
DesiredWriteBarrier(WriteBarrier<Unknown>*, JSCell* owner);
DesiredWriteBarrier(Vector<WriteBarrier<Unknown> >*, unsigned index, JSCell* owner);
void trigger(VM&);
private:
WriteBarrier<Unknown>* m_barrier;
JSCell* m_owner;
enum WriteBarrierType { NormalType, VectorType };
WriteBarrierType m_type;
union {
WriteBarrier<Unknown>* m_barrier;
struct {
Vector<WriteBarrier<Unknown> >* m_barriers;
unsigned m_index;
} barrier_vector;
} u;
};
class DesiredWriteBarriers {
......@@ -57,6 +66,12 @@ public:
return addImpl(reinterpret_cast<WriteBarrier<Unknown>*>(&barrier), owner);
}
DesiredWriteBarrier& add(Vector<WriteBarrier<Unknown> >& barriers, unsigned index, JSCell* owner)
{
m_barriers.append(DesiredWriteBarrier(&barriers, index, owner));
return m_barriers.last();
}
void trigger(VM&);
private:
......@@ -71,6 +86,8 @@ void initializeLazyWriteBarrier(WriteBarrier<T>& barrier, DesiredWriteBarriers&
barrier = WriteBarrier<T>(barriers.add(barrier, owner), value);
}
void initializeLazyWriteBarrierForConstant(CodeBlock*, DesiredWriteBarriers&, JSCell* owner, JSValue);
} } // namespace JSC::DFG
#endif // DFGDesiredWriteBarriers_h
......@@ -1372,8 +1372,8 @@ private:
ASSERT(value.isInt32());
unsigned constantRegister;
if (!codeBlock()->findConstant(value, constantRegister)) {
initializeLazyWriteBarrier(
codeBlock()->addConstantLazily(),
initializeLazyWriteBarrierForConstant(
codeBlock(),
m_graph.m_plan.writeBarriers,
codeBlock()->ownerExecutable(),
value);
......
......@@ -155,8 +155,8 @@ public:
{
unsigned constantRegister;
if (!m_codeBlock->findConstant(value, constantRegister)) {
initializeLazyWriteBarrier(
m_codeBlock->addConstantLazily(),
initializeLazyWriteBarrierForConstant(
m_codeBlock,
m_plan.writeBarriers,
m_codeBlock->ownerExecutable(),
value);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment