RESOLVED FIXED 87599
Weak pointer finalization should be lazy 
https://bugs.webkit.org/show_bug.cgi?id=87599
Summary Weak pointer finalization should be lazy
Geoffrey Garen
Reported 2012-05-27 15:01:36 PDT
Weak pointer finalization should be lazy
Attachments
Patch (4.12 KB, patch)
2012-05-27 15:07 PDT, Geoffrey Garen 		no flags
DetailsFormatted DiffDiff
Patch (7.58 KB, patch)
2012-06-02 18:50 PDT, Geoffrey Garen 		sam: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Geoffrey Garen
Comment 1 2012-05-27 15:07:19 PDT
Created attachment 144240 [details] Patch
Geoffrey Garen
Comment 2 2012-05-27 15:09:38 PDT
Benchmark results from gc-dom-latency.html: TOT: ------ average pause: 182.59259259259258 max pause: 714 iterations / pause: 24008.283950617282 iterations / pause ms: 131.48553076402976 iterations / ms: 53.93773229045321 PATCH: ------ average pause: 73.04878048780488 [2.5X improvement] max pause: 218 [3.3X improvement] iterations / pause: 39871.19512195122 [1.7X improvement] iterations / pause ms: 545.8160267111853 [4.2X improvement] iterations / ms: 64.52923064777168 [1.2X improvement]
Geoffrey Garen
Comment 3 2012-05-27 21:56:06 PDT
Committed r118646: <http://trac.webkit.org/changeset/118646>
WebKit Review Bot
Comment 4 2012-05-28 20:09:31 PDT
Re-opened since this is blocked by 87691
Filip Pizlo
Comment 5 2012-05-28 20:11:20 PDT
This causes crashes when running the V8 raytrace benchmark within the V8v6 harness: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000048 JSC::Structure::classInfo (this=0x0) at Structure.h:186 186 const ClassInfo* classInfo() const { return m_classInfo; } (gdb) bt #0 JSC::Structure::classInfo (this=0x0) at Structure.h:186 #1 0x000000010007e2f8 in JSC::Structure::typeInfo (this=0x100fc3740) at Structure.h:121 #2 0x000000010039f636 in JSC::Structure::Structure (this=0x100fcf220, globalData=@0x101007c00, previous=0x100fc3740) at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/runtime/Structure.cpp:197 #3 0x000000010039f5d5 in JSC::Structure::Structure (this=0x100fcf220, globalData=@0x101007c00, previous=0x100fc3740) at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/runtime/Structure.cpp:215 #4 0x00000001003a2e17 in JSC::Structure::create (globalData=@0x101007c00, structure=0x100fc3740) at Structure.h:223 #5 0x00000001003a041b in JSC::Structure::addPropertyTransition (globalData=@0x101007c00, structure=0x100fc3740, propertyName={m_impl = 0x101818080, static NotAnIndex = 4294967295}, attributes=0, specificValue=0x0, offset=@0x7fff5fbfde90) at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/runtime/Structure.cpp:329 #6 0x0000000100080a74 in JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1> (this=0x102fb7d80, globalData=@0x101007c00, propertyName={m_impl = 0x101818080, static NotAnIndex = 4294967295}, value={u = {asInt64 = -281474976710556, ptr = 0xffff000000000064, asBits = {payload = 100, tag = -65536}}}, attributes=0, slot=@0x7fff5fbfe050, specificFunction=0x0) at JSObject.h:744 #7 0x000000010017faa9 in JSC::JSObject::putDirect (this=0x102fb7d80, globalData=@0x101007c00, propertyName={m_impl = 0x101818080, static NotAnIndex = 4294967295}, value={u = {asInt64 = -281474976710556, ptr = 0xffff000000000064, asBits = {payload = 100, tag = -65536}}}, slot=@0x7fff5fbfe050) at JSObject.h:775 #8 0x000000010024ae9c in cti_op_put_by_id_direct (args=0x7fff5fbfe0b0) at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/jit/JITStubs.cpp:1445 #9 0x00000001002557f0 in JSC::JITThunks::clearHostFunctionStubs () at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/jit/JITStubs.cpp:3491 #10 0x000000010021d5a9 in JSC::JITCode::execute (this=0x100fcb6d8, registerFile=0x1018081d8, callFrame=0x104000038, globalData=0x101007c00) at JITCode.h:127 #11 0x00000001002192ab in JSC::Interpreter::execute (this=0x1018081c0, program=0x100fcb6c0, callFrame=0x100fdfb00, scopeChain=0x100feffc0, thisObj=0x100fdfa80) at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/interpreter/Interpreter.cpp:1232 #12 0x000000010010b442 in JSC::evaluate (exec=0x100fdfb00, scopeChain=0x100feffc0, source=@0x7fff5fbff8c0, thisValue={u = {asInt64 = 4311612032, ptr = 0x100fdfa80, asBits = {payload = 16644736, tag = 1}}}, returnedException=0x7fff5fbff8e0) at /Volumes/Data/pizlo/quartary/OpenSource/Source/JavaScriptCore/runtime/Completion.cpp:73 #13 0x0000000100008480 in runWithScripts (globalObject=0x100fdfa80, scripts=@0x7fff5fbff9a8, dump=false) at jsc.cpp:528 #14 0x0000000100007f4b in jscmain (argc=2, argv=0x7fff5fbffa50) at jsc.cpp:678 #15 0x0000000100007e5e in main (argc=2, argv=0x7fff5fbffa50) at jsc.cpp:493
Geoffrey Garen
Comment 6 2012-05-29 18:06:07 PDT
Back in: <http://trac.webkit.org/changeset/118868>
WebKit Review Bot
Comment 7 2012-05-30 00:07:26 PDT
Re-opened since this is blocked by 87828
Geoffrey Garen
Comment 8 2012-06-02 18:50:54 PDT
Created attachment 145466 [details] Patch
Sam Weinig
Comment 9 2012-06-02 18:53:36 PDT
Comment on attachment 145466 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=145466&action=review > Source/JavaScriptCore/ChangeLog:8 > + This time for sure! We will see.
Geoffrey Garen
Comment 10 2012-06-03 14:17:00 PDT
Committed r119364: <http://trac.webkit.org/changeset/119364>
Geoffrey Garen
Comment 11 2012-06-04 21:10:36 PDT
Rolled out again in <http://trac.webkit.org/changeset/119453> because it caused crashes when running v8-earley stand-alone in DRT in run-jsc-benchmarks.
Geoffrey Garen
Comment 12 2012-06-08 16:59:07 PDT
Rolled back in Part1: <http://trac.webkit.org/changeset/119878>.
Geoffrey Garen
Comment 13 2012-06-09 10:35:13 PDT
Rolled back in Part2: <http://trac.webkit.org/changeset/119909>.
Note You need to log in before you can comment on or make changes to this bug.