[JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Aug 2019 10:00:31 +0000 (10:00 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 30 Aug 2019 10:00:31 +0000 (10:00 +0000)
commite2cadc694f5af4a3421ac0fe9cb422f539a6a5bd
treee180edd462cbfa7593c59e3da2f8fc16dfe789cd
parent20ca081698597d0498de6e89b6905b4cac1dca6c
[JSC] DFG ByteCodeParser should not copy JIT-related part of SimpleJumpTable
https://bugs.webkit.org/show_bug.cgi?id=201331

Reviewed by Mark Lam.

JSTests:

* stress/simple-jump-table-copy.js: Added.
(let.code):
(g2):

Source/JavaScriptCore:

SimpleJumpTable's non-JIT part is not changed after CodeBlock is finalized well. On the other hand, JIT related part is allocated on-demand.
For example, ctiOffsets can be grown by Baseline JIT compiler. There is race condition as follows.

    1. DFG ByteCodeParser is inlining and copying SimpleJumpTable
    2. Baseline JIT compiler is expanding JIT-related part of SimpleJumpTable

Then, (1) reads the broken Vector, and crashes. Since JIT-related part is unnecessary in (1), we should not clone that.
This patch adds CodeBlock::addSwitchJumpTableFromProfiledCodeBlock, which only copies non JIT-related part of the given SimpleJumpTable offered
by profiled CodeBlock.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::addSwitchJumpTableFromProfiledCodeBlock):
* bytecode/JumpTable.h:
(JSC::SimpleJumpTable::cloneNonJITPart const):
(JSC::SimpleJumpTable::clear):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249319 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/simple-jump-table-copy.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/CodeBlock.h
Source/JavaScriptCore/bytecode/JumpTable.h
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp