Skip to content

Commit

Permalink
Cherry-pick 3160120. rdar://120560604
Browse files Browse the repository at this point in the history 
    [JSC] DFG constant property load should check the validity at the main thread
    https://bugs.webkit.org/show_bug.cgi?id=267134
    rdar://120443399

    Reviewed by Mark Lam.

    Consider the following case,

        CheckStructure O, S1 | S3
        GetByOffset O, offset

    And S1 -> S2 -> S3 structure transition happens.
    By changing object concurrently with the compiler, it is possible that we will constant fold the property with O + S2.
    While we insert watchpoints into S1 and S3, we cannot notice the change of the property in S2.
    If we change O to S3 before running code, CheckStructure passes and we can use a value loaded from O + S2.

    1. If S1 and S3 transitions are both already watched by DFG / FTL, then we do not need to care about the issue.
       CheckStructure ensures that O is S1 or S3. And both has watchpoints which fires when transition happens.
       So, if we are transitioning from S1 to S2 while compiling, it already invalidates the code.
    2. If there is only one Structure (S1), then we can keep the current optimization by checking this condition at the main thread.
       CheckStructure ensures that O is S1. And this means that if the assumption is met at the main thread, then we can continue
       using this code safely. To check this condition, we added DesiredObjectProperties, which records JSObject*, offset, value, and structure.
       And at the end of compilation, in the main thread, we check this assumption is still met.

    * Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj:
    * Source/JavaScriptCore/Sources.txt:
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.cpp: Added.
    (JSC::DFG::DesiredObjectProperties::addLazily):
    (JSC::DFG::DesiredObjectProperties::areStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGDesiredObjectProperties.h: Added.
    * Source/JavaScriptCore/dfg/DFGGraph.cpp:
    (JSC::DFG::Graph::tryGetConstantProperty):
    * Source/JavaScriptCore/dfg/DFGPlan.cpp:
    (JSC::DFG::Plan::cancel):
    (JSC::DFG::Plan::isStillValidOnMainThread):
    * Source/JavaScriptCore/dfg/DFGPlan.h:

    Canonical link: https://commits.webkit.org/272448.7@safari-7618-branch

Canonical link: https://commits.webkit.org/267815.672@safari-7617.2.4.11-branch
  • Loading branch information
@drobson1005
drobson1005 committed Jan 5, 2024
1 parent 61d47f6 commit 7efdaf1
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13061,6 +13061,7 @@
isa = PBXSourcesBuildPhase;
buildActionMask = 2147483647;
files = (
E34565A72B4753D800ED9B78 /* DFGDesiredObjectProperties.cpp in Sources */,
52CD0F682242F71C004A18A5 /* testdfg.cpp in Sources */,
);
runOnlyForDeploymentPostprocessing = 0;
Expand Down

0 comments on commit 7efdaf1

Please sign in to comment.