[webkit-changes] [WebKit/WebKit] 00352d: Cherry-pick b0a755e34426. https://bugs.webkit.org/...

Russell Epstein noreply at github.com
Fri Dec 1 11:03:57 PST 2023 

  Branch: refs/heads/webkitglib/2.42
  Home:   https://github.com/WebKit/WebKit
  Commit: 00352dd86bfa102b6e4b792120e3ef3498a27d1e
      https://github.com/WebKit/WebKit/commit/00352dd86bfa102b6e4b792120e3ef3498a27d1e
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-12-01 (Fri, 01 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/runtime/Structure.cpp

  Log Message:
  -----------
  Cherry-pick b0a755e34426. https://bugs.webkit.org/show_bug.cgi?id=265067

    Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
    https://bugs.webkit.org/show_bug.cgi?id=265067
    rdar://118548733

    Reviewed by Justin Michaud and Mark Lam.

    Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
    Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
    in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.

    This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
    And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.

    * Source/JavaScriptCore/runtime/Structure.cpp:
    (JSC::Structure::flattenDictionaryStructure):

    Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch

    Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch


  Commit: 64c92ce9b94f1e6f8a132b41ea4dff3aa5c31ad1
      https://github.com/WebKit/WebKit/commit/64c92ce9b94f1e6f8a132b41ea4dff3aa5c31ad1
  Author: Russell Epstein <repstein at apple.com>
  Date:   2023-12-01 (Fri, 01 Dec 2023)

  Changed paths:
    M Source/JavaScriptCore/b3/B3LowerToAir.cpp
    M Source/JavaScriptCore/b3/air/AirValidate.cpp

  Log Message:
  -----------
  Cherry-pick 49ba637c4abb. <bug>

    Extr can overflow when imm=64, allowing a random register to be read
    rdar://118515062

    Reviewed by Yusuke Suzuki.

    Extr can overflow when imm=64, allowing a random register to be read.

    * Source/JavaScriptCore/b3/B3LowerToAir.cpp:
    * Source/JavaScriptCore/b3/air/AirValidate.cpp:

    Canonical link: https://commits.webkit.org/267815.574@safari-7617-branch

    Canonical link: https://commits.webkit.org/265870.630@safari-7616.2.9.10-branch


Compare: https://github.com/WebKit/WebKit/compare/44aeb48d175d...64c92ce9b94f

More information about the webkit-changes mailing list