RESOLVED FIXED 201664
[JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData 
https://bugs.webkit.org/show_bug.cgi?id=201664
Summary [JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
Yusuke Suzuki
Reported 2019-09-10 16:01:41 PDT
[JSC] CodeBlock::calleeSaveRegisters should not see half-baked JITData
Attachments
Patch (3.30 KB, patch)
2019-09-10 16:07 PDT, Yusuke Suzuki 		tzagallo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-09-10 16:07:34 PDT
Created attachment 378505 [details] Patch
Yusuke Suzuki
Comment 2 2019-09-10 16:07:36 PDT
<rdar://problem/52126927>
Yusuke Suzuki
Comment 3 2019-09-10 16:09:18 PDT
Comment on attachment 378505 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378505&action=review > Source/JavaScriptCore/ChangeLog:25 > + (JSC::CodeBlock::ensureJITDataSlow): This crash exists so long time since previously we are seeing half-baked CodeBlock::m_calleeSaveRegisters instead of JITData.
Yusuke Suzuki
Comment 4 2019-09-10 16:18:19 PDT
Committed r249740: <https://trac.webkit.org/changeset/249740>
Saam Barati
Comment 5 2019-09-10 20:58:50 PDT
Comment on attachment 378505 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=378505&action=review > Source/JavaScriptCore/bytecode/CodeBlock.cpp:1349 > + // But we should not see garbage pointer in that case. We ensure JITData::m_calleeSaveRegisters is initialized as nullptr before exposing it to BaselineJIT by store-store-fence. do the compiler threads check for nullptr? We're seeing this crash on ARM only?
Yusuke Suzuki
Comment 6 2019-09-10 21:24:47 PDT
(In reply to Saam Barati from comment #5) > Comment on attachment 378505 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=378505&action=review > > > Source/JavaScriptCore/bytecode/CodeBlock.cpp:1349 > > + // But we should not see garbage pointer in that case. We ensure JITData::m_calleeSaveRegisters is initialized as nullptr before exposing it to BaselineJIT by store-store-fence. > > do the compiler threads check for nullptr? Yes, compiler thread is checking nullptr. > > We're seeing this crash on ARM only? Yes, this crash is happening only on ARM devices, because x86 offers TSO. Theoretically, we can see x86 crash if clang emits the code storing JITData pointer to CodeBlock before null-ing that field.
Note You need to log in before you can comment on or make changes to this bug.