commit 7e009aa6ca8ae5803722c93d1141121f84c9ae8f
author ysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Apr 02 23:22:55 2020 +0000
committer ysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Thu Apr 02 23:22:55 2020 +0000
tree 6fd68718b3cfe24e1d8fb6352a9bd28419241676
parent 834a3b5ea6e22b37f0f8a19c3b917b5bde609092

[JSC] RecordedStatuses's assignment should be guarded by CodeBlock's lock
https://bugs.webkit.org/show_bug.cgi?id=209935
<rdar://problem/59443383>

Reviewed by Mark Lam.

Previously RecordedStatuses are not touched by GC. But now, GC visits RecordedStatuses.
This means that modifying RecordedStatuses should be guarded by CodeBlock's lock if
it is reachable from CodeBlock.
In DFG::Plan::reallyAdd, we already installed DFG::JITCode into the CodeBlock so that
RecordedStatuses is reachable from CodeBlock. We should lock CodeBlock's lock while
performing `WTFMove(RecordedStatuses)`.

We do not need to emit write-barrier here because (1) DFG::Plan::reallyAdd is executed
while GC is deferred and (2) we emit write-barrier to CodeBlock before deferred GC is executed.

* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::reallyAdd):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@259424 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index cfcd30e..6bd8ab4c 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,24 @@
+2020-04-02  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] RecordedStatuses's assignment should be guarded by CodeBlock's lock
+        https://bugs.webkit.org/show_bug.cgi?id=209935
+        <rdar://problem/59443383>
+
+        Reviewed by Mark Lam.
+
+        Previously RecordedStatuses are not touched by GC. But now, GC visits RecordedStatuses.
+        This means that modifying RecordedStatuses should be guarded by CodeBlock's lock if
+        it is reachable from CodeBlock.
+        In DFG::Plan::reallyAdd, we already installed DFG::JITCode into the CodeBlock so that
+        RecordedStatuses is reachable from CodeBlock. We should lock CodeBlock's lock while
+        performing `WTFMove(RecordedStatuses)`.
+
+        We do not need to emit write-barrier here because (1) DFG::Plan::reallyAdd is executed
+        while GC is deferred and (2) we emit write-barrier to CodeBlock before deferred GC is executed.
+
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::reallyAdd):
+
 2020-04-02  Mark Lam  <mark.lam@apple.com>
 
         HeapSnapshotBuilder::analyzeNode() should filter out duplicate cells.

Source/JavaScriptCore/dfg/DFGPlan.cpp

diff --git a/Source/JavaScriptCore/dfg/DFGPlan.cpp b/Source/JavaScriptCore/dfg/DFGPlan.cpp
index e078f18..966d57a 100644
--- a/Source/JavaScriptCore/dfg/DFGPlan.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPlan.cpp
@@ -569,12 +569,16 @@
 
 void Plan::reallyAdd(CommonData* commonData)
 {
+    ASSERT(m_vm->heap.isDeferred());
     m_watchpoints.reallyAdd(m_codeBlock, *commonData);
     m_identifiers.reallyAdd(*m_vm, commonData);
     m_weakReferences.reallyAdd(*m_vm, commonData);
     m_transitions.reallyAdd(*m_vm, commonData);
     m_globalProperties.reallyAdd(m_codeBlock, m_identifiers, *commonData);
-    commonData->recordedStatuses = WTFMove(m_recordedStatuses);
+    {
+        ConcurrentJSLocker locker(m_codeBlock->m_lock);
+        commonData->recordedStatuses = WTFMove(m_recordedStatuses);
+    }
 }
 
 void Plan::notifyCompiling()