WebKit Bugzilla
Attachment 342662 Details for
Bug 186592
: [JSC] Always use Nuke & Set procedure for x86
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186592-20180614005432.patch (text/plain), 2.89 KB, created by
Yusuke Suzuki
on 2018-06-13 08:54:33 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Yusuke Suzuki
Created:
2018-06-13 08:54:33 PDT
Size:
2.89 KB
patch
obsolete
>Subversion Revision: 232790 >diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog >index d80b3e597ef6e747399b173b97fad5854e3f7945..9884656994f1beab01e2f50e57d5e4236871ee34 100644 >--- a/Source/JavaScriptCore/ChangeLog >+++ b/Source/JavaScriptCore/ChangeLog >@@ -1,3 +1,17 @@ >+2018-06-13 Yusuke Suzuki <utatane.tea@gmail.com> >+ >+ [JSC] Always use Nuke & Set procedure for x86 >+ https://bugs.webkit.org/show_bug.cgi?id=186592 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ We always use nukeStructureAndStoreButterfly for Contiguous -> ArrayStorage conversion if the architecture is x86. >+ By doing so, we can concurrently load structure and butterfly at least in x86 environment even in non-collector >+ threads. >+ >+ * runtime/JSObject.cpp: >+ (JSC::JSObject::convertContiguousToArrayStorage): >+ > 2018-06-12 Saam Barati <sbarati@apple.com> > > Remove JSVirtualMachine shrinkFootprint when clients move to shrinkFootprintWhenIdle >diff --git a/Source/JavaScriptCore/runtime/JSObject.cpp b/Source/JavaScriptCore/runtime/JSObject.cpp >index a4c9bf1eaf6524ffa2d738f001370badc317e46f..696a146ecb5c9d29dda63e730c24a4eef1a242bc 100644 >--- a/Source/JavaScriptCore/runtime/JSObject.cpp >+++ b/Source/JavaScriptCore/runtime/JSObject.cpp >@@ -1344,7 +1344,9 @@ ArrayStorage* JSObject::convertContiguousToArrayStorage(VM& vm, NonPropertyTrans > newStorage->m_numValuesInVector++; > } > >- Structure* newStructure = Structure::nonPropertyTransition(vm, structure(vm), transition); >+ StructureID oldStructureID = this->structureID(); >+ Structure* oldStructure = vm.getStructure(oldStructureID); >+ Structure* newStructure = Structure::nonPropertyTransition(vm, oldStructure, transition); > > // This has a crazy race with the garbage collector. When changing the butterfly and structure, > // the mutator always sets the structure last. The collector will always read the structure >@@ -1357,18 +1359,12 @@ ArrayStorage* JSObject::convertContiguousToArrayStorage(VM& vm, NonPropertyTrans > // because it will fail to decode two consecutive int32s as if it was a JSValue. > // > // Fortunately, we have the JSCell lock for this purpose! >- >- if (vm.heap.mutatorShouldBeFenced()) { >- auto locker = holdLock(cellLock()); >- setStructureIDDirectly(nuke(structureID())); >- WTF::storeStoreFence(); >- m_butterfly.set(vm, this, newStorage->butterfly()); >- WTF::storeStoreFence(); >- setStructure(vm, newStructure); >- } else { >- m_butterfly.set(vm, this, newStorage->butterfly()); >- setStructure(vm, newStructure); >- } >+ >+ Locker<JSCellLock> locker(NoLockingNecessary); >+ if (vm.heap.mutatorShouldBeFenced()) >+ locker = holdLock(cellLock()); >+ nukeStructureAndSetButterfly(vm, oldStructureID, newStorage->butterfly()); >+ setStructure(vm, newStructure); > > return newStorage; > }
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=342662">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186592
: 342662