Diff
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (210703 => 210704)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-01-13 06:10:15 UTC (rev 210704)
@@ -1,5 +1,27 @@
2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210609. rdar://problem/27896585
+
+ 2017-01-11 Andreas Kling <akl...@apple.com>
+
+ Crash when WebCore's GC heap grows way too large.
+ <https://webkit.org/b/166875>
+ <rdar://problem/27896585>
+
+ Reviewed by Mark Lam.
+
+ Add a simple API to JSC::Heap that allows setting a hard limit on the amount
+ of live bytes. If this is exceeded, we crash with a recognizable signature.
+ By default there is no limit.
+
+ * heap/Heap.cpp:
+ (JSC::Heap::didExceedMaxLiveSize):
+ (JSC::Heap::updateAllocationLimits):
+ * heap/Heap.h:
+ (JSC::Heap::setMaxLiveSize):
+
+2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210565. rdar://problem/29942167
2017-01-09 Filip Pizlo <fpi...@apple.com>
Modified: branches/safari-603-branch/Source/_javascript_Core/heap/Heap.cpp (210703 => 210704)
--- branches/safari-603-branch/Source/_javascript_Core/heap/Heap.cpp 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/_javascript_Core/heap/Heap.cpp 2017-01-13 06:10:15 UTC (rev 210704)
@@ -1676,6 +1676,11 @@
m_sweeper->startSweeping();
}
+NEVER_INLINE void Heap::didExceedMaxLiveSize()
+{
+ CRASH();
+}
+
void Heap::updateAllocationLimits()
{
static const bool verbose = false;
@@ -1707,6 +1712,9 @@
if (verbose)
dataLog("extraMemorySize() = ", extraMemorySize(), ", currentHeapSize = ", currentHeapSize, "\n");
+
+ if (m_maxLiveSize && currentHeapSize > m_maxLiveSize)
+ didExceedMaxLiveSize();
if (Options::gcMaxHeapSize() && currentHeapSize > Options::gcMaxHeapSize())
HeapStatistics::exitWithFailure();
Modified: branches/safari-603-branch/Source/_javascript_Core/heap/Heap.h (210703 => 210704)
--- branches/safari-603-branch/Source/_javascript_Core/heap/Heap.h 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/_javascript_Core/heap/Heap.h 2017-01-13 06:10:15 UTC (rev 210704)
@@ -131,6 +131,9 @@
void lastChanceToFinalize();
void releaseDelayedReleasedObjects();
+ // Set a hard limit where JSC will crash if live heap size exceeds it.
+ void setMaxLiveSize(size_t size) { m_maxLiveSize = size; }
+
VM* vm() const { return m_vm; }
MarkedSpace& objectSpace() { return m_objectSpace; }
MachineThreads& machineThreads() { return m_machineThreads; }
@@ -619,6 +622,9 @@
size_t m_blockBytesAllocated { 0 };
size_t m_externalMemorySize { 0 };
#endif
+
+ NO_RETURN_DUE_TO_CRASH void didExceedMaxLiveSize();
+ size_t m_maxLiveSize { 0 };
std::unique_ptr<MutatorScheduler> m_scheduler;
Modified: branches/safari-603-branch/Source/WTF/ChangeLog (210703 => 210704)
--- branches/safari-603-branch/Source/WTF/ChangeLog 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/WTF/ChangeLog 2017-01-13 06:10:15 UTC (rev 210704)
@@ -1,3 +1,19 @@
+2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r210609. rdar://problem/27896585
+
+ 2017-01-11 Andreas Kling <akl...@apple.com>
+
+ Crash when WebCore's GC heap grows way too large.
+ <https://webkit.org/b/166875>
+ <rdar://problem/27896585>
+
+ Reviewed by Mark Lam.
+
+ Publish the WTF::GB constant.
+
+ * wtf/StdLibExtras.h:
+
2017-01-11 Matthew Hanson <matthew_han...@apple.com>
Merge r210398. rdar://problem/29229439
Modified: branches/safari-603-branch/Source/WTF/wtf/StdLibExtras.h (210703 => 210704)
--- branches/safari-603-branch/Source/WTF/wtf/StdLibExtras.h 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/WTF/wtf/StdLibExtras.h 2017-01-13 06:10:15 UTC (rev 210704)
@@ -477,6 +477,7 @@
using WTF::KB;
using WTF::MB;
+using WTF::GB;
using WTF::approximateBinarySearch;
using WTF::binarySearch;
using WTF::bitwise_cast;
Modified: branches/safari-603-branch/Source/WebCore/ChangeLog (210703 => 210704)
--- branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/WebCore/ChangeLog 2017-01-13 06:10:15 UTC (rev 210704)
@@ -1,5 +1,22 @@
2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+ Merge r210609. rdar://problem/27896585
+
+ 2017-01-11 Andreas Kling <akl...@apple.com>
+
+ Crash when WebCore's GC heap grows way too large.
+ <https://webkit.org/b/166875>
+ <rdar://problem/27896585>
+
+ Reviewed by Mark Lam.
+
+ Cap the common WebCore VM at 4 GB of live _javascript_ heap objects.
+
+ * bindings/js/CommonVM.cpp:
+ (WebCore::commonVMSlow):
+
+2017-01-12 Matthew Hanson <matthew_han...@apple.com>
+
Merge r210599. rdar://problem/15307582
2017-01-11 Brent Fulgham <bfulg...@apple.com>
Modified: branches/safari-603-branch/Source/WebCore/bindings/js/CommonVM.cpp (210703 => 210704)
--- branches/safari-603-branch/Source/WebCore/bindings/js/CommonVM.cpp 2017-01-13 06:10:11 UTC (rev 210703)
+++ branches/safari-603-branch/Source/WebCore/bindings/js/CommonVM.cpp 2017-01-13 06:10:15 UTC (rev 210704)
@@ -47,6 +47,10 @@
ScriptController::initializeThreading();
g_commonVMOrNull = &VM::createLeaked(LargeHeap).leakRef();
+#if CPU(X86_64) || CPU(ARM64)
+ static const size_t maxGCHeapSize = 4 * GB;
+ g_commonVMOrNull->heap.setMaxLiveSize(maxGCHeapSize);
+#endif
g_commonVMOrNull->heap.acquireAccess(); // At any time, we may do things that affect the GC.
#if !PLATFORM(IOS)
g_commonVMOrNull->setExclusiveThread(std::this_thread::get_id());
