[webkit-reviews] review granted: [Bug 201331] [JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable : [Attachment 377679] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Aug 30 01:47:13 PDT 2019
Mark Lam <mark.lam at apple.com> has granted Yusuke Suzuki <ysuzuki at apple.com>'s
request for review:
Bug 201331: [JSC] DFG ByteCodeParser should not copy JIT-related part of
SimpleJumpTable
https://bugs.webkit.org/show_bug.cgi?id=201331
Attachment 377679: Patch
https://bugs.webkit.org/attachment.cgi?id=377679&action=review
--- Comment #3 from Mark Lam <mark.lam at apple.com> ---
Comment on attachment 377679
--> https://bugs.webkit.org/attachment.cgi?id=377679
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=377679&action=review
r=me
> Source/JavaScriptCore/ChangeLog:9
> + For example, ctiOffsets can be grown by Baseline JIT compiler. There
is race condition as follows.
Interesting. I've seen races between the mutator and the DFG before, but this
is the first time I've heard of a race between the baselineJIT and the DFG.
> Source/JavaScriptCore/bytecode/JumpTable.h:80
> // FIXME: The two Vectors can be combind into one
Vector<OffsetLocation>
Not your typo but might as well fix: /combind/combined/
> Source/JavaScriptCore/bytecode/JumpTable.h:122
> +#if ENABLE(DFG_JIT)
> void clear()
This looks legit to me, but I hope you've tested it with a test build with
ENABLE_DFG_JIT set to false.
More information about the webkit-reviews
mailing list