Bug 230378

Summary: PutByVal and PutPrivateName ICs should emit a write barrier if a butterfly might be allocated
Product: WebKit Reporter: Justin Michaud <justin_michaud>
Component: JavaScriptCoreAssignee: Justin Michaud <justin_michaud>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-feeder, ews-watchlist, keith_miller, mark.lam, msaboff, product-security, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 230377    
Attachments:
Description Flags
Patch
none
Patch none

Justin Michaud
Reported 2021-09-16 15:39:26 PDT
rdar://82919366 (jsc_fuz: ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset))) Right now, PutByVal and PutPrivateName check the value type to determine if a write barrier is needed. For example, putting a primitive is considered to not require a write barrier. This makes sense, except for the case when we might allocate or re-allocate a butterfly in the IC. This does not emit a write barrier, and so the GC might miss the new butterfly. That is somewhat undesirable. This is a temporary conservative fix. If we don't write to the butterfly pointer, then we still don't need a write barrier; this work is captured by https://bugs.webkit.org/show_bug.cgi?id=230377
Attachments
Patch (4.92 KB, patch)
2021-09-16 15:44 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (4.96 KB, patch)
2021-09-16 16:11 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Justin Michaud
Comment 1 2021-09-16 15:44:57 PDT
Created attachment 438408 [details] Patch
Yusuke Suzuki
Comment 2 2021-09-16 15:53:24 PDT
Comment on attachment 438408 [details] Patch r=me
Mark Lam
Comment 3 2021-09-16 16:02:32 PDT
Comment on attachment 438408 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438408&action=review > Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp:241 > + considerBarrier(child1); // FIXME: there are some cases where we can avoid a store barrier by considering the value Can you put the bug https://bugs.webkit.org/show_bug.cgi?id=230377 in the FIXME comment as well. Same below.
Justin Michaud
Comment 4 2021-09-16 16:11:32 PDT
Created attachment 438413 [details] Patch
EWS
Comment 5 2021-09-17 08:57:01 PDT
Committed r282663 (241804@main): <https://commits.webkit.org/241804@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438413 [details].
Note You need to log in before you can comment on or make changes to this bug.