[webkit-changes] [WebKit/WebKit] e10485: Race condition between JSObject::getDirectConcurre...
Yusuke Suzuki
noreply at github.com
Thu Dec 7 14:45:43 PST 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e1048521aef5bf2f660d0d1826450f0588d2eec2
https://github.com/WebKit/WebKit/commit/e1048521aef5bf2f660d0d1826450f0588d2eec2
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2023-12-07 (Thu, 07 Dec 2023)
Changed paths:
M Source/JavaScriptCore/runtime/Structure.cpp
Log Message:
-----------
Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
https://bugs.webkit.org/show_bug.cgi?id=265067
rdar://118548733
Reviewed by Justin Michaud and Mark Lam.
Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
* Source/JavaScriptCore/runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):
Originally-landed-as: 267815.577 at safari-7617-branch (b0a755e34426). rdar://119326607
Canonical link: https://commits.webkit.org/271696@main
More information about the webkit-changes
mailing list