WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
205592
[JSC] StructureChain should hold vector of StructureID
https://bugs.webkit.org/show_bug.cgi?id=205592
Summary
[JSC] StructureChain should hold vector of StructureID
Yusuke Suzuki
Reported
2019-12-25 04:49:26 PST
[JSC] StructureChain should hold vector of StructureID
Attachments
Patch
(12.82 KB, patch)
2019-12-25 04:51 PST
,
Yusuke Suzuki
mark.lam
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1
2019-12-25 04:51:02 PST
Created
attachment 386406
[details]
Patch
Yusuke Suzuki
Comment 2
2019-12-25 04:52:14 PST
Comment on
attachment 386406
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=386406&action=review
> Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:1476 > + bineq t2, [t3], .opPutByIdSlow > + addp 4, t3 > + structureIDToStructureWithScratchAndTable(t2, t1, t0) > + loadq Structure::m_prototype[t2], t2 > bqneq t2, ValueNull, .opPutByIdTransitionChainLoop
We need to load Structure* from StructureID. If it really matters, I think we should reconsider using StructureID: we should use Structure* and we should put it in 32GB region so that we can use 32bit pointer for that. But, I think this does not matter much.
Mark Lam
Comment 3
2019-12-27 22:36:22 PST
Comment on
attachment 386406
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=386406&action=review
r=me
> Source/JavaScriptCore/runtime/Structure.cpp:1217 > + StructureID* structureIDVector = structureChain->head();
nit: I think "structureIDPointer" is a better name than "structureIDVector" here since we're using it as a bump pointer and not a vector. Alternatively, "currentStructureID" or "structureIDIterator" also works.
> Source/JavaScriptCore/runtime/StructureChain.cpp:67 > + vm.heap.writeBarrier(this);
Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop.
Yusuke Suzuki
Comment 4
2019-12-28 20:47:05 PST
Comment on
attachment 386406
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=386406&action=review
>> Source/JavaScriptCore/runtime/Structure.cpp:1217 >> + StructureID* structureIDVector = structureChain->head(); > > nit: I think "structureIDPointer" is a better name than "structureIDVector" here since we're using it as a bump pointer and not a vector. Alternatively, "currentStructureID" or "structureIDIterator" also works.
currentStructureID sounds nice. Fixed.
>> Source/JavaScriptCore/runtime/StructureChain.cpp:67 >> + vm.heap.writeBarrier(this); > > Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop.
Currently, storedPrototypeObject does not cause any GC related operations. But I think this is not guaranteed. So, make this safe, I like putting write-barrier here.
Yusuke Suzuki
Comment 5
2019-12-28 20:47:49 PST
Committed
r253931
: <
https://trac.webkit.org/changeset/253931
>
Radar WebKit Bug Importer
Comment 6
2019-12-28 20:48:18 PST
<
rdar://problem/58228521
>
Saam Barati
Comment 7
2019-12-29 20:55:10 PST
Comment on
attachment 386406
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=386406&action=review
>>> Source/JavaScriptCore/runtime/StructureChain.cpp:67 >>> + vm.heap.writeBarrier(this); >> >> Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop. > > Currently, storedPrototypeObject does not cause any GC related operations. But I think this is not guaranteed. So, make this safe, I like putting write-barrier here.
But if you moved writeBarrier outside the loop, |this| is alive, and would be visited regardless of what is inside the loop. The loop could GC all it wants and we should be safe. So Mark is correct that it could move out to the end of the loop (and it could’ve in the old code too). (That said, I’m not sure it matters much in practice.)
Yusuke Suzuki
Comment 8
2020-01-02 10:41:57 PST
Comment on
attachment 386406
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=386406&action=review
>>>> Source/JavaScriptCore/runtime/StructureChain.cpp:67 >>>> + vm.heap.writeBarrier(this); >>> >>> Now that we're storing structureIDs and not setting a list of WriteBarrier<Structure>, I think we can put this writeBarrier() call after the loop. There's nothing gained by calling it repeatedly in the loop. >> >> Currently, storedPrototypeObject does not cause any GC related operations. But I think this is not guaranteed. So, make this safe, I like putting write-barrier here. > > But if you moved writeBarrier outside the loop, |this| is alive, and would be visited regardless of what is inside the loop. The loop could GC all it wants and we should be safe. So Mark is correct that it could move out to the end of the loop (and it could’ve in the old code too). (That said, I’m not sure it matters much in practice.)
Is it correct? Let's consider the following case, Now, we attempt to store 3rd StructureID. We already did GC when creating 1st StructureID. And, after that, concurrent marking happens before 2nd StructureID is stored. 2nd Structure is not in newly-allocated space. The status is, 1. |this| is already marked, but this marking only visits 1st StructureID. 2. 2nd StructureID is already stored to the vector Then, GC happens in storedPrototypeObject. In this case, 2nd Structure can be missed because of lack of write-barrier.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug