[Webkit-unassigned] [Bug 203231] New: Clients of JSArray::tryCreateUninitializedRestricted() should invoke the mutatorFence().

Mon Oct 21 19:38:16 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=203231

            Bug ID: 203231
           Summary: Clients of JSArray::tryCreateUninitializedRestricted()
                    should invoke the mutatorFence().
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

Clients of JSArray::tryCreateUninitializedRestricted() creates a partially initialized JSArray, with the contract that it will take care of filling in all the missing indexed properties before unleashing the newly created array on the world.  We intentionally do not unconditionally write barrier newly created arrays and rely on an owner object (or GC root) that it gets put into to scan it.  That said, there's no guarantee that we won't reach a GC safe point while the newly created array is still on the stack before it gets put into an owner object (or GC root).  

We should ensure that all stores into the array are properly completed before that GC safe point.  Hence, we should invoke the mutatorFence() after the client of JSArray::tryCreateUninitializedRestricted() finishes initializing the array.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191022/a00ca2f3/attachment-0001.html>