We need to have a getDirectConcurrently for use in the compilers
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 23 Jun 2018 10:47:58 +0000 (10:47 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 23 Jun 2018 10:47:58 +0000 (10:47 +0000)
commit3a01824369095f150eb58175bbe08868ee7a91b7
tree009207ca6c57dfaefce46a04ffea3f179e466c93
parente0867abe830913e18b1dbf2ebd43279c43f88c5f
We need to have a getDirectConcurrently for use in the compilers
https://bugs.webkit.org/show_bug.cgi?id=186954

Reviewed by Mark Lam.

It used to be that the propertyStorage of an object never shrunk
so if you called getDirect with some offset it would never be an
OOB read. However, this property storage can shrink when calling
flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
holds the Structure's ConcurrentJSLock while shrinking. This patch,
adds a getDirectConcurrently that will safely try to load from the
butterfly.

* bytecode/ObjectPropertyConditionSet.cpp:
* bytecode/PropertyCondition.cpp:
(JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
(JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::tryGetConstantProperty):
* runtime/JSObject.h:
(JSC::JSObject::getDirectConcurrently const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233124 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp
Source/JavaScriptCore/bytecode/PropertyCondition.cpp
Source/JavaScriptCore/dfg/DFGGraph.cpp
Source/JavaScriptCore/runtime/JSObject.h