[Webkit-unassigned] [Bug 138441] New: PutById inline caches should have a store barrier when it triggers a structure transition
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Nov 5 14:45:08 PST 2014
https://bugs.webkit.org/show_bug.cgi?id=138441
Bug ID: 138441
Summary: PutById inline caches should have a store barrier when
it triggers a structure transition
Classification: Unclassified
Product: WebKit
Version: 528+ (Nightly build)
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
After r174025, we no longer insert DFG store barriers when the payload of a PutById is not a cell. However, this can lead to a crash when we have PutById inline cache code transitioning the structure and re-allocating the butterfly of an old gen object. The lack of a store barrier in that inline cache results in the old gen object not being noticed during an eden GC scan. As a result, its newly allocated butterfly will not be kept alive. The result is a stale butterfly pointer, and a crash.
It is also possible that the new structure can be collected by the eden GC if (at GC time):
1. It is in the eden gen.
2. The inline cache that installed it has been evicted.
3. There are no live young objects referring to it.
The chances of this should be more rare than the butterfly re-allocation, but it still possible. Hence, the fix is to always add a store barrier if the inline caches performs a structure transition.
<rdar://problem/18801123>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141105/3aa518d3/attachment-0002.html>
More information about the webkit-unassigned
mailing list