115300 – fourthTier: DFG tries to ref/deref StringImpls in a ton of places

Bug 115300 - fourthTier: DFG tries to ref/deref StringImpls in a ton of places

Summary: fourthTier: DFG tries to ref/deref StringImpls in a ton of places

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:

Depends on:	115393 115468 115525
Blocks:	112839
	Show dependency tree / graph

Reported:	2013-04-27 00:00 PDT by Filip Pizlo
Modified:	2013-05-02 19:57 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
work in progress (72.50 KB, patch) 2013-04-29 13:24 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
starting to run things (106.62 KB, patch) 2013-04-29 22:16 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (174.79 KB, patch) 2013-04-30 14:52 PDT, Filip Pizlo	ggaren: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2013-04-27 00:00:21 PDT

I will have to think about this.  I suspect that most uses of StringImpls in the DFG are totally safe.  But the ones that involve debug dumps probably aren't.

Comment 1 Filip Pizlo 2013-04-29 13:24:37 PDT

Created attachment 200041 [details]
work in progress

Comment 2 Filip Pizlo 2013-04-29 22:16:37 PDT

Created attachment 200081 [details]
starting to run things

Still more work to do.

Comment 3 Filip Pizlo 2013-04-30 14:52:59 PDT

Created attachment 200151 [details]
the patch

Comment 4 Geoffrey Garen 2013-04-30 15:03:24 PDT

Comment on attachment 200151 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=200151&action=review

r=me

> Source/JavaScriptCore/runtime/Identifier.h:251
> +    typedef HashMap<StringImpl*, int, IdentifierRepHash, HashTraits<StringImpl*>, IdentifierMapIndexHashTraits> ConcurrentIdentifierMap;

Maybe BorrowedIdentifierMap instead? I don't love "Concurrent" in the name because it might imply safety.

Comment 5 Filip Pizlo 2013-04-30 23:58:59 PDT

Looks like I need to fix Structure::addPropertyTransitionToExistingStructure().  I'll do that shortly, and commit this after that is fixed.

Comment 6 Filip Pizlo 2013-05-02 19:57:12 PDT

Landed in http://trac.webkit.org/changeset/149516