[JSC] DFG, FTL, and Wasm worklist creation should be fenced
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2019 21:21:44 +0000 (21:21 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Feb 2019 21:21:44 +0000 (21:21 +0000)
https://bugs.webkit.org/show_bug.cgi?id=194714

Reviewed by Mark Lam.

Let's consider about the following extreme case.

1. VM (A) is created.
2. Another VM (B) is created on a different thread.
3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
6. (A) sees the half-baked worklist, which may be in the middle of creation.

This patch puts store-store fence just before putting a pointer to a global variable.
This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.

* dfg/DFGWorklist.cpp:
(JSC::DFG::ensureGlobalDFGWorklist):
(JSC::DFG::ensureGlobalFTLWorklist):
* wasm/WasmWorklist.cpp:
(JSC::Wasm::ensureWorklist):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241610 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGWorklist.cpp
Source/JavaScriptCore/wasm/WasmWorklist.cpp

index 03cd1a4..bfb21df 100644 (file)
@@ -1,3 +1,28 @@
+2019-02-15  Yusuke Suzuki  <ysuzuki@apple.com>
+
+        [JSC] DFG, FTL, and Wasm worklist creation should be fenced
+        https://bugs.webkit.org/show_bug.cgi?id=194714
+
+        Reviewed by Mark Lam.
+
+        Let's consider about the following extreme case.
+
+        1. VM (A) is created.
+        2. Another VM (B) is created on a different thread.
+        3. (A) is being destroyed. It calls DFG::existingWorklistForIndexOrNull in a destructor.
+        4. At the same time, (B) starts using DFG Worklist and it is instantiated in call_once.
+        5. But (A) reads the pointer directly through DFG::existingWorklistForIndexOrNull.
+        6. (A) sees the half-baked worklist, which may be in the middle of creation.
+
+        This patch puts store-store fence just before putting a pointer to a global variable.
+        This fence is executed only three times at most, for DFG, FTL, and Wasm worklist initializations.
+
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::ensureGlobalDFGWorklist):
+        (JSC::DFG::ensureGlobalFTLWorklist):
+        * wasm/WasmWorklist.cpp:
+        (JSC::Wasm::ensureWorklist):
+
 2019-02-15  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r241559 and r241566.
index 8fd16ef..d48b86b 100644 (file)
@@ -570,7 +570,9 @@ Worklist& ensureGlobalDFGWorklist()
 {
     static std::once_flag initializeGlobalWorklistOnceFlag;
     std::call_once(initializeGlobalWorklistOnceFlag, [] {
-        theGlobalDFGWorklist = &Worklist::create("DFG", getNumberOfDFGCompilerThreads(), Options::priorityDeltaOfDFGCompilerThreads()).leakRef();
+        Worklist* worklist = &Worklist::create("DFG", getNumberOfDFGCompilerThreads(), Options::priorityDeltaOfDFGCompilerThreads()).leakRef();
+        WTF::storeStoreFence();
+        theGlobalDFGWorklist = worklist;
     });
     return *theGlobalDFGWorklist;
 }
@@ -586,7 +588,9 @@ Worklist& ensureGlobalFTLWorklist()
 {
     static std::once_flag initializeGlobalWorklistOnceFlag;
     std::call_once(initializeGlobalWorklistOnceFlag, [] {
-        theGlobalFTLWorklist = &Worklist::create("FTL", getNumberOfFTLCompilerThreads(), Options::priorityDeltaOfFTLCompilerThreads()).leakRef();
+        Worklist* worklist = &Worklist::create("FTL", getNumberOfFTLCompilerThreads(), Options::priorityDeltaOfFTLCompilerThreads()).leakRef();
+        WTF::storeStoreFence();
+        theGlobalFTLWorklist = worklist;
     });
     return *theGlobalFTLWorklist;
 }
index 51e7840..abab021 100644 (file)
@@ -232,7 +232,9 @@ Worklist& ensureWorklist()
 {
     static std::once_flag initializeWorklist;
     std::call_once(initializeWorklist, [] {
-        globalWorklist = new Worklist();
+        Worklist* worklist = new Worklist();
+        WTF::storeStoreFence();
+        globalWorklist = worklist;
     });
     return *globalWorklist;
 }