[webkit-changes] [WebKit/WebKit] 00352d: Cherry-pick b0a755e34426. https://bugs.webkit.org/...
Russell Epstein
noreply at github.com
Fri Dec 1 11:03:57 PST 2023
Branch: refs/heads/webkitglib/2.42
Home: https://github.com/WebKit/WebKit
Commit: 00352dd86bfa102b6e4b792120e3ef3498a27d1e
https://github.com/WebKit/WebKit/commit/00352dd86bfa102b6e4b792120e3ef3498a27d1e
Author: Russell Epstein <repstein at apple.com>
Date: 2023-12-01 (Fri, 01 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/Structure.cpp
Log Message:
-----------
Cherry-pick b0a755e34426. https://bugs.webkit.org/show_bug.cgi?id=265067
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
https://bugs.webkit.org/show_bug.cgi?id=265067
rdar://118548733
Reviewed by Justin Michaud and Mark Lam.
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
Commit: 64c92ce9b94f1e6f8a132b41ea4dff3aa5c31ad1
https://github.com/WebKit/WebKit/commit/64c92ce9b94f1e6f8a132b41ea4dff3aa5c31ad1
Author: Russell Epstein <repstein at apple.com>
Date: 2023-12-01 (Fri, 01 Dec 2023)
Changed paths:
M Source/JavaScriptCore/b3/B3LowerToAir.cpp
M Source/JavaScriptCore/b3/air/AirValidate.cpp
Log Message:
-----------
Cherry-pick 49ba637c4abb. <bug>
Extr can overflow when imm=64, allowing a random register to be read
rdar://118515062
Reviewed by Yusuke Suzuki.
Extr can overflow when imm=64, allowing a random register to be read.
* Source/JavaScriptCore/b3/B3LowerToAir.cpp:
* Source/JavaScriptCore/b3/air/AirValidate.cpp:
Canonical link: https://commits.webkit.org/267815.574@safari-7617-branch
Canonical link: https://commits.webkit.org/265870.630@safari-7616.2.9.10-branch
Compare: https://github.com/WebKit/WebKit/compare/44aeb48d175d...64c92ce9b94f
More information about the webkit-changes
mailing list