Bug 230378

Summary: PutByVal and PutPrivateName ICs should emit a write barrier if a butterfly might be allocated
Product: WebKit Reporter: Justin Michaud <justin_michaud>
Component: JavaScriptCoreAssignee: Justin Michaud <justin_michaud>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-feeder, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 230377    
Attachments:
Description Flags
Patch
none
Patch none

Description Justin Michaud 2021-09-16 15:39:26 PDT 
rdar://82919366 (jsc_fuz: ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)))

Right now, PutByVal and PutPrivateName check the value type to determine if a write barrier is needed. For example, putting a primitive is considered to not require a write barrier.

This makes sense, except for the case when we might allocate or re-allocate a butterfly in the IC. This does not emit a write barrier, and so the GC might miss the new butterfly. That is somewhat undesirable. 

This is a temporary conservative fix. If we don't write to the butterfly pointer, then we still don't need a write barrier; this work is captured by https://bugs.webkit.org/show_bug.cgi?id=230377
Comment 1 Justin Michaud 2021-09-16 15:44:57 PDT 
Created attachment 438408 [details]
Patch
Comment 2 Yusuke Suzuki 2021-09-16 15:53:24 PDT 
Comment on attachment 438408 [details]
Patch

r=me
Comment 3 Mark Lam 2021-09-16 16:02:32 PDT 
Comment on attachment 438408 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438408&action=review

> Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:241
> +                        considerBarrier(child1); // FIXME: there are some cases where we can avoid a store barrier by considering the value

Can you put the bug https://bugs.webkit.org/show_bug.cgi?id=230377 in the FIXME comment as well.  Same below.
Comment 4 Justin Michaud 2021-09-16 16:11:32 PDT 
Created attachment 438413 [details]
Patch
Comment 5 EWS 2021-09-17 08:57:01 PDT 
Committed r282663 (241804@main): <https://commits.webkit.org/241804@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438413 [details].