Source/JavaScriptCore/ChangeLog

 12017-12-16 Yusuke Suzuki <utatane.tea@gmail.com>
 2
 3 [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
 4 https://bugs.webkit.org/show_bug.cgi?id=180906
 5
 6 Reviewed by NOBODY (OOPS!).
 7
 8 The number of SlotVisitors can increase after setting up m_visitCounters.
 9 If it happens, our m_visitCounters misses the visit count of newly added
 10 SlotVisitors. It accidentally decides that constraints are converged.
 11 This leads to random assertion hits in Linux environment.
 12
 13 In this patch, we compare the number of SlotVisitors in didVisitSomething().
 14 If the number of SlotVisitors is changed, we conservatively say we did
 15 visit something.
 16
 17 * heap/Heap.h:
 18 * heap/HeapInlines.h:
 19 (JSC::Heap::numberOfSlotVisitors):
 20 * heap/MarkingConstraintSet.h:
 21 * heap/MarkingConstraintSolver.cpp:
 22 (JSC::MarkingConstraintSolver::didVisitSomething const):
 23
1242017-12-15 Yusuke Suzuki <utatane.tea@gmail.com>
225
326 Unreviewed, 32bit JSEmpty is not nullptr + CellTag

Source/JavaScriptCore/heap/Heap.h

@@class Heap {
372372
373373 template<typename Func>
374374 void forEachSlotVisitor(const Func&);
 375 unsigned numberOfSlotVisitors();
375376
376377private:
377378 friend class AllocatingScope;

Source/JavaScriptCore/heap/HeapInlines.h

@@void Heap::forEachSlotVisitor(const Func& func)
269269 func(*slotVisitor);
270270}
271271
 272inline unsigned Heap::numberOfSlotVisitors()
 273{
 274 auto locker = holdLock(m_parallelSlotVisitorLock);
 275 return m_parallelSlotVisitors.size() + 2; // m_collectorSlotVisitor and m_mutatorSlotVisitor
 276}
 277
272278} // namespace JSC

Source/JavaScriptCore/heap/MarkingConstraintSet.h

@@class MarkingConstraintSet {
6767
6868 bool executeConvergenceImpl(SlotVisitor&);
6969
70  bool drain(SlotVisitor&, BitVector& unexecuted, BitVector& executed, bool& didVisitSomething);
71 
7270 Heap& m_heap;
7371 BitVector m_unexecutedRoots;
7472 BitVector m_unexecutedOutgrowths;

Source/JavaScriptCore/heap/MarkingConstraintSolver.cpp

@@bool MarkingConstraintSolver::didVisitSomething() const
5151 if (visitCounter.visitCount())
5252 return true;
5353 }
 54 // If the number of SlotVisitors increases after creating m_visitCounters,
 55 // we conservatively say there could be something visited by added SlotVisitors.
 56 if (m_heap.numberOfSlotVisitors() > m_visitCounters.size())
 57 return true;
5458 return false;
5559}
5660