Bug 205592

Summary: [JSC] StructureChain should hold vector of StructureID
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch mark.lam: review+

Yusuke Suzuki
Reported 2019-12-25 04:49:26 PST
[JSC] StructureChain should hold vector of StructureID
Attachments
Patch (12.82 KB, patch)
2019-12-25 04:51 PST, Yusuke Suzuki
mark.lam: review+
Yusuke Suzuki
Comment 1 2019-12-25 04:51:02 PST
Yusuke Suzuki
Comment 2 2019-12-25 04:52:14 PST
Comment on attachment 386406 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386406&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:1476 > + bineq t2, [t3], .opPutByIdSlow > + addp 4, t3 > + structureIDToStructureWithScratchAndTable(t2, t1, t0) > + loadq Structure::m_prototype[t2], t2 > bqneq t2, ValueNull, .opPutByIdTransitionChainLoop We need to load Structure* from StructureID. If it really matters, I think we should reconsider using StructureID: we should use Structure* and we should put it in 32GB region so that we can use 32bit pointer for that. But, I think this does not matter much.
Mark Lam
Comment 3 2019-12-27 22:36:22 PST
Comment on attachment 386406 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386406&action=review r=me > Source/JavaScriptCore/runtime/Structure.cpp:1217 > + StructureID* structureIDVector = structureChain->head(); nit: I think "structureIDPointer" is a better name than "structureIDVector" here since we're using it as a bump pointer and not a vector. Alternatively, "currentStructureID" or "structureIDIterator" also works. > Source/JavaScriptCore/runtime/StructureChain.cpp:67 > + vm.heap.writeBarrier(this); Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop.
Yusuke Suzuki
Comment 4 2019-12-28 20:47:05 PST
Comment on attachment 386406 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386406&action=review >> Source/JavaScriptCore/runtime/Structure.cpp:1217 >> + StructureID* structureIDVector = structureChain->head(); > > nit: I think "structureIDPointer" is a better name than "structureIDVector" here since we're using it as a bump pointer and not a vector. Alternatively, "currentStructureID" or "structureIDIterator" also works. currentStructureID sounds nice. Fixed. >> Source/JavaScriptCore/runtime/StructureChain.cpp:67 >> + vm.heap.writeBarrier(this); > > Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop. Currently, storedPrototypeObject does not cause any GC related operations. But I think this is not guaranteed. So, make this safe, I like putting write-barrier here.
Yusuke Suzuki
Comment 5 2019-12-28 20:47:49 PST
Radar WebKit Bug Importer
Comment 6 2019-12-28 20:48:18 PST
Saam Barati
Comment 7 2019-12-29 20:55:10 PST
Comment on attachment 386406 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386406&action=review >>> Source/JavaScriptCore/runtime/StructureChain.cpp:67 >>> + vm.heap.writeBarrier(this); >> >> Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop. > > Currently, storedPrototypeObject does not cause any GC related operations. But I think this is not guaranteed. So, make this safe, I like putting write-barrier here. But if you moved writeBarrier outside the loop, |this| is alive, and would be visited regardless of what is inside the loop. The loop could GC all it wants and we should be safe. So Mark is correct that it could move out to the end of the loop (and it could’ve in the old code too). (That said, I’m not sure it matters much in practice.)
Yusuke Suzuki
Comment 8 2020-01-02 10:41:57 PST
Comment on attachment 386406 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=386406&action=review >>>> Source/JavaScriptCore/runtime/StructureChain.cpp:67 >>>> + vm.heap.writeBarrier(this); >>> >>> Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop. >> >> Currently, storedPrototypeObject does not cause any GC related operations. But I think this is not guaranteed. So, make this safe, I like putting write-barrier here. > > But if you moved writeBarrier outside the loop, |this| is alive, and would be visited regardless of what is inside the loop. The loop could GC all it wants and we should be safe. So Mark is correct that it could move out to the end of the loop (and it could’ve in the old code too). (That said, I’m not sure it matters much in practice.) Is it correct? Let's consider the following case, Now, we attempt to store 3rd StructureID. We already did GC when creating 1st StructureID. And, after that, concurrent marking happens before 2nd StructureID is stored. 2nd Structure is not in newly-allocated space. The status is, 1. |this| is already marked, but this marking only visits 1st StructureID. 2. 2nd StructureID is already stored to the vector Then, GC happens in storedPrototypeObject. In this case, 2nd Structure can be missed because of lack of write-barrier.
Note You need to log in before you can comment on or make changes to this bug.