Summary: | Clients of JSArray::tryCreateUninitializedRestricted() should invoke the mutatorFence(). | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Mark Lam <mark.lam> | ||||||
Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | fpizlo, keith_miller, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Mark Lam
2019-10-21 19:38:16 PDT
Created attachment 381501 [details]
work in progress for EWS testing.
Created attachment 381513 [details]
proposed patch.
Comment on attachment 381513 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=381513&action=review > Source/JavaScriptCore/ChangeLog:18 > + That said, there's no guarantee that we won't reach a GC safe point with the > + newly created array is on the stack before it gets put into an owner object > + (or GC root). how does a safe point not do the required fencing? I think this is necessary because when we store the array into another object. But I don't think it's necessary for this reason. (In reply to Saam Barati from comment #4) > I think this is necessary because when we store the array into another > object. But I don't think it's necessary for this reason. Thanks for the review. I've fixed the comment. Landed in r251456: <http://trac.webkit.org/r251456>. |