Skip to site navigation (Press enter)

[webkit-changes] [204091] trunk/Source/bmalloc

ggaren Wed, 03 Aug 2016 11:43:37 -0700

Title: [204091] trunk/Source/bmalloc

Revision: 204091
Author: [email protected]
Date: 2016-08-03 11:43:15 -0700 (Wed, 03 Aug 2016)

Log Message

[bmalloc] Merging of XLargeRanges can leak the upper range
https://bugs.webkit.org/show_bug.cgi?id=160403


Reviewed by Michael Saboff.

* bmalloc/Heap.cpp:
(bmalloc::Heap::scavengeLargeObjects): Don't use removePhysical().
Recorded physical size is a performance optimization. It is not the
truth. So it might be zero even if a range contains physical pages.

Instead, iterate each range in the map unconditionally.

The map can shrink when we release the lock, so we must clamp our
iterator each time through the loop.

The map can grow when we release the lock, but we don't care because
growth restarts the scavenger from the beginning.

* bmalloc/XLargeMap.cpp:
(bmalloc::XLargeMap::removePhysical): Deleted. Not used anymore.

* bmalloc/XLargeMap.h:
(bmalloc::XLargeMap::ranges): Added direct access for the sake of
scavengeLargeObjects. (This violates our naming conventions -- I'll do
a rename in a follow-up patch.)

Modified Paths

trunk/Source/bmalloc/ChangeLog
trunk/Source/bmalloc/bmalloc/Heap.cpp
trunk/Source/bmalloc/bmalloc/XLargeMap.cpp
trunk/Source/bmalloc/bmalloc/XLargeMap.h

Diff

Modified: trunk/Source/bmalloc/ChangeLog (204090 => 204091)


--- trunk/Source/bmalloc/ChangeLog	2016-08-03 18:35:21 UTC (rev 204090)
+++ trunk/Source/bmalloc/ChangeLog	2016-08-03 18:43:15 UTC (rev 204091)
@@ -1,3 +1,31 @@
+2016-08-03  Geoffrey Garen  <[email protected]>
+
+        [bmalloc] Merging of XLargeRanges can leak the upper range
+        https://bugs.webkit.org/show_bug.cgi?id=160403
+
+        Reviewed by Michael Saboff.
+
+        * bmalloc/Heap.cpp:
+        (bmalloc::Heap::scavengeLargeObjects): Don't use removePhysical().
+        Recorded physical size is a performance optimization. It is not the
+        truth. So it might be zero even if a range contains physical pages.
+
+        Instead, iterate each range in the map unconditionally.
+
+        The map can shrink when we release the lock, so we must clamp our
+        iterator each time through the loop.
+
+        The map can grow when we release the lock, but we don't care because
+        growth restarts the scavenger from the beginning.
+
+        * bmalloc/XLargeMap.cpp:
+        (bmalloc::XLargeMap::removePhysical): Deleted. Not used anymore.
+
+        * bmalloc/XLargeMap.h:
+        (bmalloc::XLargeMap::ranges): Added direct access for the sake of
+        scavengeLargeObjects. (This violates our naming conventions -- I'll do
+        a rename in a follow-up patch.)
+
 2016-07-13  Enrica Casucci  <[email protected]>
 
         Update supported platforms in xcconfig files to match the sdk names.

Modified: trunk/Source/bmalloc/bmalloc/Heap.cpp (204090 => 204091)


--- trunk/Source/bmalloc/bmalloc/Heap.cpp	2016-08-03 18:35:21 UTC (rev 204090)
+++ trunk/Source/bmalloc/bmalloc/Heap.cpp	2016-08-03 18:43:15 UTC (rev 204091)
@@ -131,13 +131,16 @@
 
 void Heap::scavengeLargeObjects(std::unique_lock<StaticMutex>& lock, std::chrono::milliseconds sleepDuration)
 {
-    while (XLargeRange range = m_largeFree.removePhysical()) {
+    auto& ranges = m_largeFree.ranges();
+    for (size_t i = ranges.size(); i-- > 0; i = std::min(i, ranges.size())) {
+        auto range = ranges.pop(i);
+
         lock.unlock();
         vmDeallocatePhysicalPagesSloppy(range.begin(), range.size());
         lock.lock();
-        
+
         range.setPhysicalSize(0);
-        m_largeFree.add(range);
+        ranges.push(range);
 
         waitUntilFalse(lock, sleepDuration, m_isAllocatingPages);
     }

Modified: trunk/Source/bmalloc/bmalloc/XLargeMap.cpp (204090 => 204091)


--- trunk/Source/bmalloc/bmalloc/XLargeMap.cpp	2016-08-03 18:35:21 UTC (rev 204090)
+++ trunk/Source/bmalloc/bmalloc/XLargeMap.cpp	2016-08-03 18:43:15 UTC (rev 204091)
@@ -76,16 +76,4 @@
     m_free.push(merged);
 }
 
-XLargeRange XLargeMap::removePhysical()
-{
-    auto it = std::find_if(m_free.begin(), m_free.end(), [](const XLargeRange& range) {
-        return range.physicalSize();
-    });
-
-    if (it == m_free.end())
-        return XLargeRange();
-
-    return m_free.pop(it);
-}
-
 } // namespace bmalloc

Modified: trunk/Source/bmalloc/bmalloc/XLargeMap.h (204090 => 204091)


--- trunk/Source/bmalloc/bmalloc/XLargeMap.h	2016-08-03 18:35:21 UTC (rev 204090)
+++ trunk/Source/bmalloc/bmalloc/XLargeMap.h	2016-08-03 18:43:15 UTC (rev 204091)
@@ -36,7 +36,7 @@
 public:
     void add(const XLargeRange&);
     XLargeRange remove(size_t alignment, size_t);
-    XLargeRange removePhysical();
+    Vector<XLargeRange>& ranges() { return m_free; }
 
 private:
     Vector<XLargeRange> m_free;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes