Final goal of this way is making all objects in IsoSubspace in JSC.

<rdar://problem/55469823>

Created attachment 379401 [details] Patch

Plan: - Sharing one Iso MarkedBlock for multiple IsoSubspaces if the CellKind is the same to allow sweep from MarkedBlock - Mark bits in MarkedBlock is used - Never becomes empty state

(In reply to Yusuke Suzuki from comment #4) > Plan: > > - Sharing one Iso MarkedBlock for multiple IsoSubspaces if the CellKind is > the same to allow sweep from MarkedBlock > - Mark bits in MarkedBlock is used > - Never becomes empty state While Block can destroy objects, we do not have a way to chain free-cells to each IsoSubspace after that. So we should have some ideas. One idea is that, 1. While sweeping WeakSet is done per MarkBlock, 2. Sweeping objects and chain them to IsoSubspace is done per BlockDirectory.

Discussed with Saam and Phil, we should use LargeAllocation for this purpose.

(In reply to Yusuke Suzuki from comment #6) > Discussed with Saam and Phil, we should use LargeAllocation for this purpose. Landed JSGlobalObject* change, starting making this patch.

Created attachment 382147 [details] Patch

Created attachment 382602 [details] Patch

Created attachment 383006 [details] Patch

Created attachment 383008 [details] Patch

Created attachment 383021 [details] Patch

Created attachment 383024 [details] Patch

Created attachment 383025 [details] Patch

Comment on attachment 383025 [details] Patch Attachment 383025 [details] did not pass jsc-ews (mac): Output: https://webkit-queues.webkit.org/results/13221838 New failing tests: stress/sampling-profiler-wasm.js.default

Created attachment 383083 [details] Patch

Created attachment 383088 [details] Patch

Comment on attachment 383088 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383088&action=review > Source/JavaScriptCore/ChangeLog:31 > + We also make sizeof(LargeAllocation) small since it is now used for non-large allocations. The name `LargeAllocation` is a bit weird, but anyway, in this patch, I don't change it.

Comment on attachment 383088 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383088&action=review > Source/JavaScriptCore/heap/LocalAllocator.cpp:140 > + if (void* result = m_directory->tryAllocateFromLowerTier()) > return result; It would be possible that we could introduce some heuristics like, "If several MarkedBlock are allocated to this type, we think this is frequently allocated and avoid using lower-tier cels". For now, we are just using it since I don't see regression.

Comment on attachment 383088 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383088&action=review > Source/JavaScriptCore/heap/MarkedSpace.cpp:218 > + }); Note that, this forEach works well even if `allocation->destroy()` removes itself from this m_sweptLowerTierCells.forEach list.

Comment on attachment 383088 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383088&action=review r=me with comments. > Source/JavaScriptCore/ChangeLog:13 > + We use LargeAllocation for this lower-tier objects. Each IsoSubspace holds up to 8 lower-tier objects nit: this => these > Source/JavaScriptCore/ChangeLog:15 > + allocated via LargeAllocation. And use it when MarkedBlock of IsoSubspace exhausts (like, zero MarekdBlock > + here). And once this LargeAllocation is allocated to a certain type, we do not deallocate it until VM Can you clarify this slightly. I think you are saying something like: The allocation order for any given cell type is: try to allocate in an existing MarkedBlock (there won't be one to start). try to allocate in an existing LargeAllocation. allocate a new MarkedBlock and/or GC. > Source/JavaScriptCore/ChangeLog:26 > + that is pointing at the middle of the JSCell in sampling profiler, just registering cell address is enough. And we > + maintain this hash-set only when sampling profiler is enabled to save memory in major cases. Did you benchmark how much this impacts the sampling profiler's regression on the rest of the system? >> Source/JavaScriptCore/ChangeLog:31 >> + We also make sizeof(LargeAllocation) small since it is now used for non-large allocations. > > The name `LargeAllocation` is a bit weird, but anyway, in this patch, I don't change it. Can you do a follow up patch to rename `LargeAllocation` to `CustomAllocation` or something? > Source/JavaScriptCore/heap/HeapUtil.h:165 > + // It does not find the cell if the pointer is pointing at the middle of a JSCell. Nit: It does => This does. > Source/JavaScriptCore/heap/IsoSubspace.cpp:123 > + m_lowerTierFreeList.append(largeAllocation); > + m_space.m_sweptLowerTierCells.append(largeAllocation); Can a largeAllocation ever be on the m_sweptLowerTierCells list but not in the m_lowerTierFreeList? If not, why have the m_lowerTierFreeList at all? Why not just take objects from m_sweptLowerTierCells? As far as I can tell they seem like they contain the same information. > Source/JavaScriptCore/heap/LargeAllocation.cpp:163 > +LargeAllocation* LargeAllocation::reuseForLowerTier() > +{ > + Heap& heap = *this->heap(); > + size_t size = m_cellSize; > + Subspace* subspace = m_subspace; > + bool adjustedAlignment = m_adjustedAlignment; > + uint8_t lowerTierIndex = m_lowerTierIndex; > + > + void* space = this->basePointer(); > + this->~LargeAllocation(); > + > + LargeAllocation* largeAllocation = new (NotNull, space) LargeAllocation(heap, size, subspace, 0, adjustedAlignment); > + largeAllocation->m_lowerTierIndex = lowerTierIndex; > + largeAllocation->m_hasValidCell = false; > + return largeAllocation; > +} Does this do anything? You only call this from sweepLowerTierCell() but that's only called if the cell is already lower tier?

Comment on attachment 383088 [details] Patch Attachment 383088 [details] did not pass jsc-ews (mac): Output: https://webkit-queues.webkit.org/results/13224718 New failing tests: stress/llint-put-to-scope-global-cache-watchpoint-invalidate.js.dfg-eager

Comment on attachment 383088 [details] Patch Attachment 383088 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/13227668 Number of test failures exceeded the failure limit.

Created attachment 383166 [details] Archive of layout-test-results from ews210 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews210 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit

Comment on attachment 383088 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=383088&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:13 >> + We use LargeAllocation for this lower-tier objects. Each IsoSubspace holds up to 8 lower-tier objects > > nit: this => these Fixed. >> Source/JavaScriptCore/ChangeLog:15 >> + here). And once this LargeAllocation is allocated to a certain type, we do not deallocate it until VM > > Can you clarify this slightly. I think you are saying something like: > > The allocation order for any given cell type is: > try to allocate in an existing MarkedBlock (there won't be one to start). > try to allocate in an existing LargeAllocation. > allocate a new MarkedBlock and/or GC. Fixed. >> Source/JavaScriptCore/ChangeLog:26 >> + maintain this hash-set only when sampling profiler is enabled to save memory in major cases. > > Did you benchmark how much this impacts the sampling profiler's regression on the rest of the system? This only happens when the sampling-profiler is enabled (so, in usual web-browsing, this does not happen). And I don't have any data about the score of sampling-profiler enabled/disabled. And I quickly run JetStream2 w/ old and new builds while enabling sampling-profiler and it is neutral. Maybe because lower-tier cells are by definition limited. >>> Source/JavaScriptCore/ChangeLog:31 >>> + We also make sizeof(LargeAllocation) small since it is now used for non-large allocations. >> >> The name `LargeAllocation` is a bit weird, but anyway, in this patch, I don't change it. > > Can you do a follow up patch to rename `LargeAllocation` to `CustomAllocation` or something? Will change it to PreciseAllocation. >> Source/JavaScriptCore/heap/HeapUtil.h:165 >> + // It does not find the cell if the pointer is pointing at the middle of a JSCell. > > Nit: It does => This does. Fixed. >> Source/JavaScriptCore/heap/IsoSubspace.cpp:123 >> + m_space.m_sweptLowerTierCells.append(largeAllocation); > > Can a largeAllocation ever be on the m_sweptLowerTierCells list but not in the m_lowerTierFreeList? If not, why have the m_lowerTierFreeList at all? Why not just take objects from m_sweptLowerTierCells? As far as I can tell they seem like they contain the same information. I intentionally did not do that because I do not want to iterate all Subspaces when destroying VM due to performance. But maybe, it does not matter much. Just iterating Subspace for now. >> Source/JavaScriptCore/heap/LargeAllocation.cpp:163 >> +} > > Does this do anything? You only call this from sweepLowerTierCell() but that's only called if the cell is already lower tier? It destroying previous LargeAllocation and reconstructing it, LargeAllocation includes WeakSet etc. I think destroying the previous one here is better since we do not need to rely on the destructor's behavior of LargeAllocation if we destroy it here anyway.

Committed r252298: <https://trac.webkit.org/changeset/252298>

It looks like the changes in https://trac.webkit.org/changeset/252298/webkit has caused windows testing to exit early with crashes. Build: https://build.webkit.org/builders/Apple%20Win%2010%20Release%20%28Tests%29/builds/3907 can this be looked at soon?

Results page with crash log links: https://build.webkit.org/results/Apple%20Win%2010%20Release%20(Tests)/r252302%20(3907)/results.html

Pulled this from the bot: SIGTERM signal receivedTraceback(most recent call last): File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py", line 459, in <module> sys.exit(main(sys.argv[1:], sys.stdout, sys.stderr)) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py", line 91, in main run_details = run(port, options, args, stderr) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/run_webkit_tests.py", line 452, in run run_details = manager.run(args) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/manager.py", line 275, in run temp_initial_results, temp_retry_results, temp_enabled_pixel_tests_in_retry = self._run_test_subset(tests_to_run_by_device[device_type], tests_to_skip, device_type=device_type) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/manager.py", line 339, in _run_test_subset initial_results = self._run_tests(tests_to_run, tests_to_skip, self._options.repeat_each, self._options.iterations, int(self._options.child_processes), retrying=False, device_type=device_type) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/manager.py", line 400, in _run_tests return self._runner.run_tests(self._expectations[device_type], test_inputs, tests_to_skip, num_workers, retrying) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/layout_test_runner.py", line 126, in run_tests pool.run(('test_list', shard.name, shard.test_inputs) for shard in all_shards) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/message_pool.py", line 100, in run self.wait() File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/message_pool.py", line 130, in wait self._start_workers() File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/message_pool.py", line 112, in _start_workers worker.start() File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/message_pool.py", line 250, in start super(_Worker, self).start() File "/usr/lib/python2.7/multiprocessing/process.py", line 130, in start self._popen = Popen(self) File "/usr/lib/python2.7/multiprocessing/forking.py", line 126, in __init__ code = process_obj._bootstrap() File "/usr/lib/python2.7/multiprocessing/process.py", line 267, in _bootstrap self.run() File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/message_pool.py", line 268, in run worker.handle(message.name, message.src, *message.args) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/layout_test_runner.py", line 290, in handle self._run_test(test_input, test_list_name) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/layout_test_runner.py", line 316, in _run_test result = self._run_test_with_or_without_timeout(test_input, test_timeout_sec, stop_when_done) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/layout_test_runner.py", line 382, in _run_test_with_or_without_timeout return self._run_test_in_this_thread(test_input, stop_when_done) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/layout_test_runner.py", line 468, in _run_test_in_this_thread return self._run_single_test(self._driver, test_input, stop_when_done) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/layout_test_runner.py", line 472, in _run_single_test self._name, driver, test_input, stop_when_done) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/single_test_runner.py", line 46, in run_single_test return runner.run() File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/single_test_runner.py", line 105, in run return self._run_compare_test() File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/layout_tests/controllers/single_test_runner.py", line 108, in _run_compare_test driver_output = self._driver.run_test(self._driver_input(), self._stop_when_done) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/port/driver.py", line 793, in run_test return self._driver.run_test(driver_input, stop_when_done) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/port/driver.py", line 239, in run_test self.error_from_test, crash_log = self._get_crash_log(text, self.error_from_test, newer_than=start_time) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/port/driver.py", line 308, in _get_crash_log return self._port._get_crash_log(self._crashed_process_name, self._crashed_pid, stdout, stderr, newer_than, target_host=self._target_host) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/port/win.py", line 411, in _get_crash_log crash_log = crash_logs.find_newest_log(name, pid, include_errors=True, newer_than=newer_than) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/system/crashlogs.py", line 56, in find_newest_log return self._find_newest_log_win(process_name, pid, include_errors, newer_than) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/system/crashlogs.py", line 109, in _find_newest_log_win logs = self._host.filesystem.files_under(self._crash_log_directory, file_filter=is_crash_log) File "/home/buildbot/worker/win10-release-tests/build/Tools/Scripts/webkitpy/common/system/filesystem.py", line 133, in files_under for (dirpath, dirnames, filenames) in os.walk(path): File "/usr/lib/python2.7/os.py", line 296, in walk for x in walk(new_path, topdown, onerror, followlinks): File "/usr/lib/python2.7/os.py", line 296, in walk for x in walk(new_path, topdown, onerror, followlinks): File "/usr/lib/python2.7/os.py", line 278, in walk names = listdir(top)

> [Inline Frame] JavaScriptCore.dll!JSC::AtomIndices::{ctor}(JSC::HeapCell *) Line 37 C++ [Inline Frame] JavaScriptCore.dll!JSC::IsoCellSet::add(JSC::HeapCell *) Line 38 C++ JavaScriptCore.dll!JSC::ScriptExecutable::installCode(JSC::VM & vm, JSC::CodeBlock * genericCodeBlock, JSC::CodeType codeType, JSC::CodeSpecializationKind kind) Line 191 C++ JavaScriptCore.dll!JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM & vm, JSC::JSFunction * function, JSC::JSScope * scope, JSC::CodeSpecializationKind kind, JSC::CodeBlock * & resultCodeBlock) Line 435 C++ [Inline Frame] JavaScriptCore.dll!JSC::ScriptExecutable::prepareForExecution(JSC::VM &) Line 1051 C++ JavaScriptCore.dll!JSC::Interpreter::executeProgram(const JSC::SourceCode & source, JSC::JSGlobalObject * __formal, JSC::JSObject * thisObj) Line 825 C++ JavaScriptCore.dll!JSC::evaluate(JSC::JSGlobalObject * globalObject, const JSC::SourceCode & source, JSC::JSValue thisValue, WTF::NakedPtr<JSC::Exception> & returnedException) Line 148 C++ JavaScriptCore.dll!JSC::profiledEvaluate(JSC::JSGlobalObject * globalObject, JSC::ProfilingReason reason, const JSC::SourceCode & source, JSC::JSValue thisValue, WTF::NakedPtr<JSC::Exception> & returnedException) Line 161 C++ [Inline Frame] WebKit.dll!WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject *) Line 79 C++ WebKit.dll!WebCore::ScriptController::evaluateInWorld(const WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world, WebCore::ExceptionDetails * exceptionDetails) Line 134 C++ WebKit.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode, WebCore::ExceptionDetails * exceptionDetails) Line 150 C++ WebKit.dll!WebCore::ScriptElement::executeClassicScript(const WebCore::ScriptSourceCode & sourceCode) Line 391 C++ WebKit.dll!WebCore::LoadableClassicScript::execute(WebCore::ScriptElement & scriptElement) Line 123 C++ [Inline Frame] WebKit.dll!WebCore::ScriptElement::executeScriptAndDispatchEvent(WebCore::LoadableScript &) Line 429 C++ WebKit.dll!WebCore::ScriptElement::executePendingScript(WebCore::PendingScript & pendingScript) Line 437 C++ [Inline Frame] WebKit.dll!WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript &) Line 114 C++ WebKit.dll!WebCore::HTMLScriptRunner::executeParsingBlockingScripts() Line 164 C++ WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement,WTF::DumbPtrTraits<WebCore::ScriptElement>> && element, const WTF::TextPosition & scriptStartPosition) Line 150 C++ WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() Line 234 C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode mode, bool parsingFragment, WebCore::PumpSession & session) Line 255 C++ WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode mode) Line 309 C++ [Inline Frame] WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) Line 186 C++ WebKit.dll!WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl,WTF::DumbPtrTraits<WTF::StringImpl>> && inputSource) Line 419 C++ WebKit.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter & writer, const char * data, unsigned int length) Line 50 C++ WebKit.dll!WebCore::DocumentWriter::addData(const char * bytes, unsigned int length) Line 258 C++ WebKit.dll!WebCore::DocumentLoader::commitData(const char * bytes, unsigned int length) Line 1125 C++ WebKit.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * loader, const char * data, int length) Line 689 C++ WebKit.dll!WebCore::DocumentLoader::commitLoad(const char * data, int length) Line 1013 C++ WebKit.dll!WebCore::DocumentLoader::dataReceived(const char * data, int length) Line 1158 C++ WebKit.dll!WebCore::DocumentLoader::dataReceived(WebCore::CachedResource & resource, const char * data, int length) Line 1131 C++ WebKit.dll!WebCore::CachedRawResource::notifyClientsDataWasReceived(const char * data, unsigned int length) Line 135 C++ WebKit.dll!WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer & data) Line 74 C++ WebKit.dll!WebCore::SubresourceLoader::didReceiveDataOrBuffer(const char * data, int length, WTF::RefPtr<WebCore::SharedBuffer,WTF::DumbPtrTraits<WebCore::SharedBuffer>> && buffer, __int64 encodedDataLength, WebCore::DataPayloadType dataPayloadType) Line 505 C++ WebKit.dll!WebCore::SubresourceLoader::didReceiveBuffer(WTF::Ref<WebCore::SharedBuffer,WTF::DumbPtrTraits<WebCore::SharedBuffer>> && buffer, __int64 encodedDataLength, WebCore::DataPayloadType dataPayloadType) Line 485 C++ WebKit.dll!WebCore::ResourceLoader::didReceiveBuffer(WebCore::ResourceHandle * __formal, WTF::Ref<WebCore::SharedBuffer,WTF::DumbPtrTraits<WebCore::SharedBuffer>> && buffer, int encodedDataLength) Line 694 C++ [Inline Frame] WebKit.dll!WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue::didReceiveData::__l2::<lambda_5f349daa7f72b184051aee54a6289cd4>::operator()() Line 225 C++ WebKit.dll!WTF::Detail::CallableWrapper<<lambda_5f349daa7f72b184051aee54a6289cd4>,void>::call() Line 52 C++ [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() Line 79 C++ WTF.dll!WTF::dispatchFunctionsFromMainThread() Line 97 C++ WTF.dll!WTF::ThreadingWindowWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 51 C++ [External Code] user32.dll![Frames below may be incorrect and/or missing, no symbols loaded for user32.dll] Unknown DumpRenderTreeLib.dll!runTest(const std::string & inputLine) Line 1272 C++ DumpRenderTreeLib.dll!main(int argc, const char * * argv) Line 1642 C++ DumpRenderTreeLib.dll!dllLauncherEntryPoint(int argc, const char * * argv) Line 1682 C++ DumpRenderTree.exe!main(int argc, const char * * argv) Line 230 C++ [External Code]

(In reply to Per Arne Vollan from comment #30) > > [Inline Frame] JavaScriptCore.dll!JSC::AtomIndices::{ctor}(JSC::HeapCell *) Line 37 C++ > [Inline Frame] JavaScriptCore.dll!JSC::IsoCellSet::add(JSC::HeapCell *) > Line 38 C++ > JavaScriptCore.dll!JSC::ScriptExecutable::installCode(JSC::VM & vm, > JSC::CodeBlock * genericCodeBlock, JSC::CodeType codeType, > JSC::CodeSpecializationKind kind) Line 191 C++ > JavaScriptCore.dll!JSC::ScriptExecutable::prepareForExecutionImpl(JSC::VM > & vm, JSC::JSFunction * function, JSC::JSScope * scope, > JSC::CodeSpecializationKind kind, JSC::CodeBlock * & resultCodeBlock) Line > 435 C++ > [Inline Frame] > JavaScriptCore.dll!JSC::ScriptExecutable::prepareForExecution(JSC::VM &) > Line 1051 C++ > JavaScriptCore.dll!JSC::Interpreter::executeProgram(const JSC::SourceCode > & source, JSC::JSGlobalObject * __formal, JSC::JSObject * thisObj) Line 825 > C++ > JavaScriptCore.dll!JSC::evaluate(JSC::JSGlobalObject * globalObject, const > JSC::SourceCode & source, JSC::JSValue thisValue, > WTF::NakedPtr<JSC::Exception> & returnedException) Line 148 C++ > JavaScriptCore.dll!JSC::profiledEvaluate(JSC::JSGlobalObject * > globalObject, JSC::ProfilingReason reason, const JSC::SourceCode & source, > JSC::JSValue thisValue, WTF::NakedPtr<JSC::Exception> & returnedException) > Line 161 C++ > [Inline Frame] > WebKit.dll!WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject *) > Line 79 C++ > WebKit.dll!WebCore::ScriptController::evaluateInWorld(const > WebCore::ScriptSourceCode & sourceCode, WebCore::DOMWrapperWorld & world, > WebCore::ExceptionDetails * exceptionDetails) Line 134 C++ > WebKit.dll!WebCore::ScriptController::evaluate(const > WebCore::ScriptSourceCode & sourceCode, WebCore::ExceptionDetails * > exceptionDetails) Line 150 C++ > WebKit.dll!WebCore::ScriptElement::executeClassicScript(const > WebCore::ScriptSourceCode & sourceCode) Line 391 C++ > WebKit.dll!WebCore::LoadableClassicScript::execute(WebCore::ScriptElement > & scriptElement) Line 123 C++ > [Inline Frame] > WebKit.dll!WebCore::ScriptElement::executeScriptAndDispatchEvent(WebCore:: > LoadableScript &) Line 429 C++ > > WebKit.dll!WebCore::ScriptElement::executePendingScript(WebCore:: > PendingScript & pendingScript) Line 437 C++ > [Inline Frame] > WebKit.dll!WebCore::HTMLScriptRunner:: > executePendingScriptAndDispatchEvent(WebCore::PendingScript &) Line 114 C++ > WebKit.dll!WebCore::HTMLScriptRunner::executeParsingBlockingScripts() Line > 164 C++ > > WebKit.dll!WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore:: > ScriptElement,WTF::DumbPtrTraits<WebCore::ScriptElement>> && element, const > WTF::TextPosition & scriptStartPosition) Line 150 C++ > WebKit.dll!WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() > Line 234 C++ > > WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore:: > HTMLDocumentParser::SynchronousMode mode, bool parsingFragment, > WebCore::PumpSession & session) Line 255 C++ > > WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizer(WebCore:: > HTMLDocumentParser::SynchronousMode mode) Line 309 C++ > [Inline Frame] > WebKit.dll!WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore:: > HTMLDocumentParser::SynchronousMode) Line 186 C++ > > WebKit.dll!WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, > WTF::DumbPtrTraits<WTF::StringImpl>> && inputSource) Line 419 C++ > > WebKit.dll!WebCore::DecodedDataDocumentParser::appendBytes(WebCore:: > DocumentWriter & writer, const char * data, unsigned int length) Line 50 C++ > WebKit.dll!WebCore::DocumentWriter::addData(const char * bytes, unsigned > int length) Line 258 C++ > WebKit.dll!WebCore::DocumentLoader::commitData(const char * bytes, > unsigned int length) Line 1125 C++ > WebKit.dll!WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader * > loader, const char * data, int length) Line 689 C++ > WebKit.dll!WebCore::DocumentLoader::commitLoad(const char * data, int > length) Line 1013 C++ > WebKit.dll!WebCore::DocumentLoader::dataReceived(const char * data, int > length) Line 1158 C++ > WebKit.dll!WebCore::DocumentLoader::dataReceived(WebCore::CachedResource & > resource, const char * data, int length) Line 1131 C++ > WebKit.dll!WebCore::CachedRawResource::notifyClientsDataWasReceived(const > char * data, unsigned int length) Line 135 C++ > WebKit.dll!WebCore::CachedRawResource::updateBuffer(WebCore::SharedBuffer > & data) Line 74 C++ > WebKit.dll!WebCore::SubresourceLoader::didReceiveDataOrBuffer(const char * > data, int length, > WTF::RefPtr<WebCore::SharedBuffer,WTF::DumbPtrTraits<WebCore::SharedBuffer>> > && buffer, __int64 encodedDataLength, WebCore::DataPayloadType > dataPayloadType) Line 505 C++ > > WebKit.dll!WebCore::SubresourceLoader::didReceiveBuffer(WTF::Ref<WebCore:: > SharedBuffer,WTF::DumbPtrTraits<WebCore::SharedBuffer>> && buffer, __int64 > encodedDataLength, WebCore::DataPayloadType dataPayloadType) Line 485 C++ > > WebKit.dll!WebCore::ResourceLoader::didReceiveBuffer(WebCore::ResourceHandle > * __formal, > WTF::Ref<WebCore::SharedBuffer,WTF::DumbPtrTraits<WebCore::SharedBuffer>> && > buffer, int encodedDataLength) Line 694 C++ > [Inline Frame] > WebKit.dll!WebCore::ResourceHandleCFURLConnectionDelegateWithOperationQueue:: > didReceiveData::__l2::<lambda_5f349daa7f72b184051aee54a6289cd4>:: > operator()() Line 225 C++ > > WebKit.dll!WTF::Detail:: > CallableWrapper<<lambda_5f349daa7f72b184051aee54a6289cd4>,void>::call() Line > 52 C++ > [Inline Frame] WTF.dll!WTF::Function<void __cdecl(void)>::operator()() > Line 79 C++ > WTF.dll!WTF::dispatchFunctionsFromMainThread() Line 97 C++ > WTF.dll!WTF::ThreadingWindowWndProc(HWND__ * hWnd, unsigned int message, > unsigned int wParam, long lParam) Line 51 C++ > [External Code] > user32.dll![Frames below may be incorrect and/or missing, no symbols > loaded for user32.dll] Unknown > DumpRenderTreeLib.dll!runTest(const std::string & inputLine) Line 1272 C++ > DumpRenderTreeLib.dll!main(int argc, const char * * argv) Line 1642 C++ > DumpRenderTreeLib.dll!dllLauncherEntryPoint(int argc, const char * * argv) > Line 1682 C++ > DumpRenderTree.exe!main(int argc, const char * * argv) Line 230 C++ > [External Code] Nice! Thanks, looking.

Reopening to attach new patch.

Created attachment 383292 [details] Patch

Created attachment 383293 [details] Patch

Created attachment 383294 [details] Patch

Created attachment 383295 [details] Patch

Created attachment 383298 [details] Patch

Committed r252341: <https://trac.webkit.org/changeset/252341>

Committed r252347: <https://trac.webkit.org/changeset/252347>

Follow-up fix, waiting for review. https://bugs.webkit.org/show_bug.cgi?id=204124