<rdar://problem/53977605>

Created attachment 377679 [details]
Patch

Comment on attachment 377679 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377679&action=review

r=me

> Source/JavaScriptCore/ChangeLog:9
> +        For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.

Interesting.  I've seen races between the mutator and the DFG before, but this is the first time I've heard of a race between the baselineJIT and the DFG.

> Source/JavaScriptCore/bytecode/JumpTable.h:80
>          // FIXME: The two Vectors can be combind into one Vector<OffsetLocation>

Not your typo but might as well fix: /combind/combined/

> Source/JavaScriptCore/bytecode/JumpTable.h:122
> +#if ENABLE(DFG_JIT)
>          void clear()

This looks legit to me, but I hope you've tested it with a test build with ENABLE_DFG_JIT set to false.

Comment on attachment 377679 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=377679&action=review

>> Source/JavaScriptCore/bytecode/JumpTable.h:80
>>          // FIXME: The two Vectors can be combind into one Vector<OffsetLocation>
> 
> Not your typo but might as well fix: /combind/combined/

Fixed.

>> Source/JavaScriptCore/bytecode/JumpTable.h:122
>>          void clear()
> 
> This looks legit to me, but I hope you've tested it with a test build with ENABLE_DFG_JIT set to false.

I checked this function is only called from DFGJITCompiler.cpp's finalizing timing, and make it `ENABLE(DFG_JIT)`.

Committed r249319: <https://trac.webkit.org/changeset/249319>