RESOLVED FIXED 167208
The mutator needs to fire a barrier after memmoving stuff around in an object that the GC scans 
https://bugs.webkit.org/show_bug.cgi?id=167208
Summary The mutator needs to fire a barrier after memmoving stuff around in an object...
Filip Pizlo
Reported 2017-01-19 12:06:34 PST
We didn't used to need these kinds of barriers, but now we do! It used to be that if you moved a value from one place to another in the same object then there is no need for a barrier because the generational GC would have no need to know that the referent still continues to refer to the same referee. But the concurrent GC might scan that object as the mutator moves pointers around in it. If the ordering is right, this could mean that the collector never sees some of those pointers. This can be fixed by adding a barrier. This bug covers the most obvious cases I found. There may be more and I'll continue to audit.
Attachments
the patch (2.97 KB, patch)
2017-01-19 12:09 PST, Filip Pizlo 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2017-01-19 12:09:24 PST
Created attachment 299257 [details] the patch
Radar WebKit Bug Importer
Comment 2 2017-01-19 12:10:21 PST
<rdar://problem/30101860>
Saam Barati
Comment 3 2017-01-19 12:39:11 PST
Comment on attachment 299257 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=299257&action=review > Source/JavaScriptCore/runtime/JSArray.cpp:1027 > + vm.heap.writeBarrier(this); Maybe just do this if we're Contiguous? > Source/JavaScriptCore/runtime/JSArray.cpp:1179 > + vm.heap.writeBarrier(this); Maybe just do this if we're Contiguous?
Filip Pizlo
Comment 4 2017-01-19 12:40:27 PST
(In reply to comment #3) > Comment on attachment 299257 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=299257&action=review > > > Source/JavaScriptCore/runtime/JSArray.cpp:1027 > > + vm.heap.writeBarrier(this); > > Maybe just do this if we're Contiguous? > > > Source/JavaScriptCore/runtime/JSArray.cpp:1179 > > + vm.heap.writeBarrier(this); > > Maybe just do this if we're Contiguous? That would be a branch, and the barrier's amortized cost is about the cost of a branch.
Filip Pizlo
Comment 5 2017-01-19 12:55:16 PST
Landed in https://trac.webkit.org/changeset/210935
Note You need to log in before you can comment on or make changes to this bug.