Bug 116633

Summary:

fourthTier: Race between LLInt->Baseline tier-up and DFG reading Baseline profiling data

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, benjamin, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

112836

Attachments:

Description	Flags
the patch	mhahnenberg: review+

Filip Pizlo

Reported 2013-05-22 13:22:25 PDT

If a code block has baseline profiling data because it was tiered up from LLInt to Baseline, then the DFG will try to read that additional data. The updates to that data (like incrementing slow-path counters) are racy and that's fine. But the bug is that the *creation* of those data structures that the Baseline JIT uses and the DFG reads is also racy and this is leading to hilarious crashes.

Attachments
the patch (9.50 KB, patch) 2013-05-22 14:20 PDT, Filip Pizlo	mhahnenberg: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-05-22 14:20:34 PDT

Created attachment 202623 [details] the patch

Mark Hahnenberg

Comment 2 2013-05-22 14:25:18 PDT

Comment on attachment 202623 [details] the patch r=me

Filip Pizlo

Comment 3 2013-05-22 21:18:53 PDT

Landed in http://trac.webkit.org/changeset/150563

Note You need to log in before you can comment on or make changes to this bug.