WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 116633
fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data
https://bugs.webkit.org/show_bug.cgi?id=116633
Summary
fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline pro...
Filip Pizlo
Reported
2013-05-22 13:22:25 PDT
If a code block has baseline profiling data because it was tiered up from LLInt to Baseline, then the DFG will try to read that additional data. The updates to that data (like incrementing slow-path counters) are racy and that's fine. But the bug is that the *creation* of those data structures that the Baseline JIT uses and the DFG reads is also racy and this is leading to hilarious crashes.
Attachments
the patch
(9.50 KB, patch)
2013-05-22 14:20 PDT
,
Filip Pizlo
mhahnenberg
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2013-05-22 14:20:34 PDT
Created
attachment 202623
[details]
the patch
Mark Hahnenberg
Comment 2
2013-05-22 14:25:18 PDT
Comment on
attachment 202623
[details]
the patch r=me
Filip Pizlo
Comment 3
2013-05-22 21:18:53 PDT
Landed in
http://trac.webkit.org/changeset/150563
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug