WebKit Bugzilla
Attachment 343258 Details for
Bug 186878
: JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
WIP
b-backup.diff (text/plain), 4.03 KB, created by
Saam Barati
on 2018-06-21 12:35:27 PDT
(
hide
)
Description:
WIP
Filename:
MIME Type:
Creator:
Saam Barati
Created:
2018-06-21 12:35:27 PDT
Size:
4.03 KB
patch
obsolete
>Index: Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp >=================================================================== >--- Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (revision 233022) >+++ Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (working copy) >@@ -406,6 +406,7 @@ RegisterID* ArrayNode::emitBytecode(Byte > auto newArray = [&] (RegisterID* dst, ElementNode* elements, unsigned length, bool hadVariableExpression) { > if (length && !hadVariableExpression) { > recommendedIndexingType |= CopyOnWrite; >+ ASSERT(generator.vm()->heap.isDeferred()); // We run bytecode generator under a DeferGC. If we stopped doing that, we'd need to put a DeferGC here as we filled in these slots. > auto* array = JSImmutableButterfly::create(*generator.vm(), recommendedIndexingType, length); > unsigned index = 0; > for (ElementNode* element = elements; index < length; element = element->next()) { >Index: Source/JavaScriptCore/heap/HeapUtil.h >=================================================================== >--- Source/JavaScriptCore/heap/HeapUtil.h (revision 233022) >+++ Source/JavaScriptCore/heap/HeapUtil.h (working copy) >@@ -87,8 +87,7 @@ public: > char* previousPointer = pointer - sizeof(IndexingHeader) - 1; > MarkedBlock* previousCandidate = MarkedBlock::blockFor(previousPointer); > if (!filter.ruleOut(bitwise_cast<Bits>(previousCandidate)) >- && set.contains(previousCandidate) >- && previousCandidate->handle().cellKind() == HeapCell::Auxiliary) { >+ && set.contains(previousCandidate)) { > previousPointer = static_cast<char*>(previousCandidate->handle().cellAlign(previousPointer)); > if (previousCandidate->handle().isLiveCell(markingVersion, newlyAllocatedVersion, isMarking, previousPointer)) > func(previousPointer, previousCandidate->handle().cellKind()); >@@ -103,20 +102,14 @@ public: > if (!set.contains(candidate)) > return; > >- HeapCell::Kind cellKind = candidate->handle().cellKind(); >- > auto tryPointer = [&] (void* pointer) { > if (candidate->handle().isLiveCell(markingVersion, newlyAllocatedVersion, isMarking, pointer)) >- func(pointer, cellKind); >+ func(pointer, candidate->handle().cellKind()); > }; > >- if (candidate->handle().cellKind() == HeapCell::JSCell) { >- if (!MarkedBlock::isAtomAligned(pointer)) >- return; >- >- tryPointer(pointer); >- return; >- } >+ // We don't distinguish interior pointers based on HeapCell::Auxiliary because: >+ // - JSImmutableButterfly is HeapCell::JSCell >+ // - We think the compiler may emit code where it points into the middle of a cell > > // A butterfly could point into the middle of an object. > char* alignedPointer = static_cast<char*>(candidate->handle().cellAlign(pointer)); >Index: Source/JavaScriptCore/runtime/JSImmutableButterfly.h >=================================================================== >--- Source/JavaScriptCore/runtime/JSImmutableButterfly.h (revision 233022) >+++ Source/JavaScriptCore/runtime/JSImmutableButterfly.h (working copy) >@@ -89,7 +89,7 @@ public: > static CompleteSubspace* subspaceFor(VM& vm) > { > // We allocate out of the JSValue gigacage as other code expects all butterflies to live there. >- return &vm.jsValueGigacageAuxiliarySpace; >+ return &vm.jsValueGigacageCellSpace; > } > > // Only call this if you just allocated this butterfly. >Index: Source/WebCore/page/FrameView.cpp >=================================================================== >--- Source/WebCore/page/FrameView.cpp (revision 233022) >+++ Source/WebCore/page/FrameView.cpp (working copy) >@@ -4131,7 +4131,7 @@ void FrameView::paintContents(GraphicsCo > if (!layoutContext().inPaintableState()) > return; > >- ASSERT(!needsLayout()); >+ //ASSERT(!needsLayout()); > if (needsLayout()) > return; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343258">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ews-watchlist
:
commit-queue-
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186878
:
343258
|
343266
|
343267
|
343274
|
343275
|
343277
|
343368
|
343385
|
343386
|
343388
|
343391
|
343412
|
343457
|
343461
|
343464
|
343477
|
343484
|
343489
|
343523
|
343546
|
343552
|
343645
|
343653