WebKit Bugzilla
Attachment 343866 Details for
Bug 187157
: IsoCellSet::sweepToFreeList() not safe when Full GC in process
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
187157.patch (text/plain), 2.95 KB, created by
Michael Saboff
on 2018-06-28 15:52:45 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Michael Saboff
Created:
2018-06-28 15:52:45 PDT
Size:
2.95 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 233328) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2018-06-28 Michael Saboff <msaboff@apple.com> >+ >+ IsoCellSet::sweepToFreeList() not safe when Full GC in process >+ https://bugs.webkit.org/show_bug.cgi?id=187157 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * heap/IsoCellSet.cpp: >+ (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what >+ is in MarkedBlock::Handle::specializedSweep where it takes into account whether >+ or not we are in the process of marking during a full GC. >+ * heap/MarkedBlock.h: >+ * heap/MarkedBlockInlines.h: >+ (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper. >+ > 2018-06-27 Saam Barati <sbarati@apple.com> > > Add some more register state information when we crash in repatchPutById >Index: Source/JavaScriptCore/heap/IsoCellSet.cpp >=================================================================== >--- Source/JavaScriptCore/heap/IsoCellSet.cpp (revision 233328) >+++ Source/JavaScriptCore/heap/IsoCellSet.cpp (working copy) >@@ -127,11 +127,12 @@ void IsoCellSet::sweepToFreeList(MarkedB > } > > if (block->block().hasAnyNewlyAllocated()) { >+ // The newlyAllocated() bits are a superset of the marks() bits. > m_bits[block->index()]->concurrentFilter(block->block().newlyAllocated()); > return; > } > >- if (block->isEmpty() || block->areMarksStale()) { >+ if (block->isEmpty() || block->areMarksStaleForSweep()) { > { > // Holding the bitvector lock happens to be enough because that's what we also hold in > // other places where we manipulate this bitvector. >Index: Source/JavaScriptCore/heap/MarkedBlock.h >=================================================================== >--- Source/JavaScriptCore/heap/MarkedBlock.h (revision 233328) >+++ Source/JavaScriptCore/heap/MarkedBlock.h (working copy) >@@ -187,6 +187,7 @@ public: > template <typename Functor> inline IterationStatus forEachMarkedCell(const Functor&); > > JS_EXPORT_PRIVATE bool areMarksStale(); >+ bool areMarksStaleForSweep(); > > void assertMarksNotStale(); > >Index: Source/JavaScriptCore/heap/MarkedBlockInlines.h >=================================================================== >--- Source/JavaScriptCore/heap/MarkedBlockInlines.h (revision 233328) >+++ Source/JavaScriptCore/heap/MarkedBlockInlines.h (working copy) >@@ -203,6 +203,11 @@ inline bool MarkedBlock::Handle::isLiveC > return isLiveCell(space()->markingVersion(), space()->newlyAllocatedVersion(), space()->isMarking(), p); > } > >+inline bool MarkedBlock::Handle::areMarksStaleForSweep() >+{ >+ return marksMode() == MarksStale; >+} >+ > // The following has to be true for specialization to kick in: > // > // sweepMode == SweepToFreeList
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=343866">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
mark.lam
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 187157
: 343866