RESOLVED FIXED 206557
Fix small memory regression caused by r206365 
https://bugs.webkit.org/show_bug.cgi?id=206557
Summary Fix small memory regression caused by r206365
Justin Michaud
Reported 2020-01-21 14:47:13 PST Comment hidden (obsolete)
Attachments
Patch (7.45 KB, patch)
2020-01-21 16:28 PST, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (7.49 KB, patch)
2020-01-21 17:58 PST, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (7.46 KB, patch)
2020-01-29 12:45 PST, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Justin Michaud
Comment 1 2020-01-21 16:11:31 PST
Put StructureRareData::m_giveUpOnObjectToStringValueCache into m_objectToStringValue to prevent increasing StructureRareData's size.
Justin Michaud
Comment 2 2020-01-21 16:28:54 PST
Created attachment 388370 [details] Patch
Yusuke Suzuki
Comment 3 2020-01-21 16:40:56 PST
Comment on attachment 388370 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=388370&action=review I think this direction is correct. But I found several bugs. > Source/JavaScriptCore/runtime/StructureRareData.cpp:74 > + visitor.appendUnbarriered(thisObject->objectToStringValue()); `appendUnbarriered` assumes that whether the cell pointer is valid or nullptr. Let's do the similar thing done for `m_cachedOwnKeys` below. > Source/JavaScriptCore/runtime/StructureRareData.cpp:97 > + if (objectToStringValue() == giveUpOnObjectToStringValueCacheValue()) This never happens since `objectToStringValue()` returns nullptr if the stored value is `giveUpOnObjectToStringValueCacheValue`. Let's directly read m_objectToStringValue here, and check it carefully. > Source/JavaScriptCore/runtime/StructureRareData.cpp:159 > + if (objectToStringValue() != giveUpOnObjectToStringValueCacheValue()) Ditto.
Justin Michaud
Comment 4 2020-01-21 17:58:59 PST
Created attachment 388384 [details] Patch
Yusuke Suzuki
Comment 5 2020-01-21 19:22:14 PST
Comment on attachment 388384 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=388384&action=review r=me with nits. > Source/JavaScriptCore/runtime/StructureRareData.h:71 > + bool doGiveUpOnObjectToStringValueCache() { return m_objectToStringValue.unvalidatedGet() == giveUpOnObjectToStringValueCacheValue(); } `doGiveUpOnObjectToStringValueCache` sounds like we give up caching by this function. Can you rename it to `canCacheObjectToStringValue()`? > Source/JavaScriptCore/runtime/StructureRareData.h:72 > + static JSString* giveUpOnObjectToStringValueCacheValue() { return bitwise_cast<JSString*>(static_cast<uintptr_t>(1)); } Let's rename it something like "objectToStringCacheGiveUpMarker()", otherwise, this function name sounds like we are giving up caching by this function.
Justin Michaud
Comment 6 2020-01-29 12:45:36 PST
Created attachment 389174 [details] Patch
WebKit Commit Bot
Comment 7 2020-01-29 13:30:33 PST
Comment on attachment 389174 [details] Patch Clearing flags on attachment: 389174 Committed r255380: <https://trac.webkit.org/changeset/255380>
WebKit Commit Bot
Comment 8 2020-01-29 13:30:35 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 9 2020-01-29 13:31:17 PST
<rdar://problem/59004377>
Maciej Stachowiak
Comment 10 2020-01-30 22:54:20 PST
The cited regression revision here is probably wrong, since <https://trac.webkit.org/changeset/206365/webkit> only changes TestExpectations.
Maciej Stachowiak
Comment 11 2020-01-30 22:56:33 PST
Pretty sure this was meant to reference https://trac.webkit.org/changeset/254760/webkit (which is bug 206365)
Note You need to log in before you can comment on or make changes to this bug.