[webkit-changes] [205466] trunk/Source/JavaScriptCore

Mon, 05 Sep 2016 19:39:06 -0700

Title: [205466] trunk/Source/_javascript_Core
Revision
205466
Author
fpi...@apple.com
Date
2016-09-05 19:39:11 -0700 (Mon, 05 Sep 2016)

Log Message

Heap::isMarked() should use concurrent lazy flipping
https://bugs.webkit.org/show_bug.cgi?id=161613

Reviewed by Michael Catanzaro.

I found out about this race condition via
https://bugs.webkit.org/show_bug.cgi?id=160125#c233.

The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
phase. So, they need to lazy-flip in a non-racy way.

* heap/HeapInlines.h:
(JSC::Heap::isLive):
(JSC::Heap::isMarked):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (205465 => 205466)


--- trunk/Source/_javascript_Core/ChangeLog	2016-09-06 02:16:03 UTC (rev 205465)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-09-06 02:39:11 UTC (rev 205466)
@@ -1,5 +1,22 @@
 2016-09-05  Filip Pizlo  <fpi...@apple.com>
 
+        Heap::isMarked() should use concurrent lazy flipping
+        https://bugs.webkit.org/show_bug.cgi?id=161613
+
+        Reviewed by Michael Catanzaro.
+        
+        I found out about this race condition via
+        https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
+        
+        The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
+        phase. So, they need to lazy-flip in a non-racy way.
+
+        * heap/HeapInlines.h:
+        (JSC::Heap::isLive):
+        (JSC::Heap::isMarked):
+
+2016-09-05  Filip Pizlo  <fpi...@apple.com>
+
         Unreviewed, reset generator test results after the butterflies.
 
         * Scripts/tests/builtins/expected/_javascript_Core-Builtin.Promise-Combined.js-result:

Modified: trunk/Source/_javascript_Core/heap/HeapInlines.h (205465 => 205466)


--- trunk/Source/_javascript_Core/heap/HeapInlines.h	2016-09-06 02:16:03 UTC (rev 205465)
+++ trunk/Source/_javascript_Core/heap/HeapInlines.h	2016-09-06 02:39:11 UTC (rev 205466)
@@ -80,7 +80,7 @@
     if (cell->isLargeAllocation())
         return cell->largeAllocation().isLive();
     MarkedBlock& block = cell->markedBlock();
-    block.flipIfNecessary(block.vm()->heap.objectSpace().version());
+    block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version());
     return block.handle().isLiveCell(cell);
 }
 
@@ -90,7 +90,7 @@
     if (cell->isLargeAllocation())
         return cell->largeAllocation().isMarked();
     MarkedBlock& block = cell->markedBlock();
-    block.flipIfNecessary(block.vm()->heap.objectSpace().version());
+    block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version());
     return block.isMarked(cell);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to