diff options
| author | Konstantin Tokarev <annulen@yandex.ru> | 2016-08-25 19:20:41 +0300 |
|---|---|---|
| committer | Konstantin Tokarev <annulen@yandex.ru> | 2017-02-02 12:30:55 +0000 |
| commit | 6882a04fb36642862b11efe514251d32070c3d65 (patch) | |
| tree | b7959826000b061fd5ccc7512035c7478742f7b0 /Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp | |
| parent | ab6df191029eeeb0b0f16f127d553265659f739e (diff) | |
| download | qtwebkit-6882a04fb36642862b11efe514251d32070c3d65.tar.gz | |
Imported QtWebKit TP3 (git b57bc6801f1876c3220d5a4bfea33d620d477443)
Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
Diffstat (limited to 'Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp')
| -rw-r--r-- | Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp b/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp index 6d9afda28..905b5bd3c 100644 --- a/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp +++ b/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Apple Inc. All rights reserved. + * Copyright (C) 2012, 2013 Apple Inc. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,15 +26,30 @@ #include "config.h" #include "ArrayAllocationProfile.h" -#include "Operations.h" +#include "JSCInlines.h" namespace JSC { void ArrayAllocationProfile::updateIndexingType() { - if (!m_lastArray) + // This is awkwardly racy but totally sound even when executed concurrently. The + // worst cases go something like this: + // + // - Two threads race to execute this code; one of them succeeds in updating the + // m_currentIndexingType and the other either updates it again, or sees a null + // m_lastArray; if it updates it again then at worst it will cause the profile + // to "forget" some array. That's still sound, since we don't promise that + // this profile is a reflection of any kind of truth. + // + // - A concurrent thread reads m_lastArray, but that array is now dead. While + // it's possible for that array to no longer be reachable, it cannot actually + // be freed, since we require the GC to wait until all concurrent JITing + // finishes. + + JSArray* lastArray = m_lastArray; + if (!lastArray) return; - m_currentIndexingType = leastUpperBoundOfIndexingTypes(m_currentIndexingType, m_lastArray->structure()->indexingType()); + m_currentIndexingType = leastUpperBoundOfIndexingTypes(m_currentIndexingType, lastArray->indexingType()); m_lastArray = 0; } |