Bug 163343 - The blackening of CellState is a bad way of tracking if the object is being marked for the first time
Summary: The blackening of CellState is a bad way of tracking if the object is being m...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks: 149432
  Show dependency treegraph
 
Reported: 2016-10-12 11:15 PDT by Filip Pizlo
Modified: 2016-10-12 16:59 PDT (History)
5 users (show)

See Also:

Attachments
the patch (12.45 KB, patch)
2016-10-12 12:53 PDT, Filip Pizlo 		mark.lam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2016-10-12 11:15:41 PDT 
I think we need to revert the CellState change in https://trac.webkit.org/changeset/206344.
Comment 1 Filip Pizlo 2016-10-12 12:53:07 PDT 
Created attachment 291385 [details]
the patch
Comment 2 WebKit Commit Bot 2016-10-12 12:56:05 PDT 
Attachment 291385 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/llint/LLIntData.cpp:217:  Tests for true/false, null/non-null, and zero/non-zero should all be done without equality comparisons.  [readability/comparison_to_zero] [5]
Total errors found: 1 in 10 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Mark Lam 2016-10-12 13:07:23 PDT 
Comment on attachment 291385 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=291385&action=review

r=me

> Source/JavaScriptCore/ChangeLog:13
> +        new way better: instead of the SlotVisitor rememering the state-before-blackening, we would

typo: /rememering/remembering/

> Source/JavaScriptCore/ChangeLog:19
> +        Subsequent visits will know that they are not the first. So, we will fail to do the right

/will know/will think/?

> Source/JavaScriptCore/heap/CellState.h:33
> +    // The object is either currently being scanned (anthracite) or it has finished being scalled

typo: /scalled/scanned/

> Source/JavaScriptCore/heap/SlotVisitor.cpp:300
> +    // There is no race here - the cell state cannot change right now.
> +    ASSERT(m_oldCellState == CellState::OldGrey || m_oldCellState == CellState::NewGrey);

Please explain why the cell state cannot change.
Comment 4 Filip Pizlo 2016-10-12 13:09:06 PDT 
(In reply to comment #3)
> Comment on attachment 291385 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=291385&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/ChangeLog:13
> > +        new way better: instead of the SlotVisitor rememering the state-before-blackening, we would
> 
> typo: /rememering/remembering/
> 
> > Source/JavaScriptCore/ChangeLog:19
> > +        Subsequent visits will know that they are not the first. So, we will fail to do the right
> 
> /will know/will think/?
> 
> > Source/JavaScriptCore/heap/CellState.h:33
> > +    // The object is either currently being scanned (anthracite) or it has finished being scalled
> 
> typo: /scalled/scanned/
> 
> > Source/JavaScriptCore/heap/SlotVisitor.cpp:300
> > +    // There is no race here - the cell state cannot change right now.
> > +    ASSERT(m_oldCellState == CellState::OldGrey || m_oldCellState == CellState::NewGrey);
> 
> Please explain why the cell state cannot change.

All fixed.  Now to run all debug tests to make sure I didn't add wrong asserts...
Comment 5 Filip Pizlo 2016-10-12 16:59:39 PDT 
Landed in https://trac.webkit.org/changeset/207263