[Webkit-unassigned] [Bug 203867] New: JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should fire its watchpoint as the last step.

Tue Nov 5 15:05:14 PST 2019

https://bugs.webkit.org/show_bug.cgi?id=203867

            Bug ID: 203867
           Summary: JSGlobalObject::fireWatchpointAndMakeAllArrayStructure
                    sSlowPut() should fire its watchpoint as the last
                    step.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

JSGlobalObject::fireWatchpointAndMakeAllArrayStructuresSlowPut() should make all the array structures SlowPut before firing the watchpoint.  Otherwise, the concurrent JIT may think it's grabbing the slow put version of the structure, but is actually grabbing the non-SlowPut version because it beat the mutator in a race to read the structure before the mutator makes it SlowPut.

<rdar://problem/56813514>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191105/0d72e520/attachment-0001.htm>