[webkit-changes] [205152] branches/safari-601-branch/Source/JavaScriptCore

Mon, 29 Aug 2016 15:42:05 -0700

Title: [205152] branches/safari-601-branch/Source/_javascript_Core
Revision
205152
Author
bshaf...@apple.com
Date
2016-08-29 15:42:07 -0700 (Mon, 29 Aug 2016)

Log Message

Merge r204572.  rdar://problem/28059311


Modified Paths

Diff

Modified: branches/safari-601-branch/Source/_javascript_Core/ChangeLog (205151 => 205152)


--- branches/safari-601-branch/Source/_javascript_Core/ChangeLog	2016-08-29 22:10:09 UTC (rev 205151)
+++ branches/safari-601-branch/Source/_javascript_Core/ChangeLog	2016-08-29 22:42:07 UTC (rev 205152)
@@ -1,3 +1,35 @@
+2016-08-29  Babak Shafiei  <bshaf...@apple.com>
+
+        Merge r204572.
+
+    2016-08-17  Geoffrey Garen  <gga...@apple.com>
+
+            Fixed a potential bug in MarkedArgumentBuffer.
+            https://bugs.webkit.org/show_bug.cgi?id=160948
+            <rdar://problem/27889416>
+
+            Reviewed by Oliver Hunt.
+
+            I haven't been able to produce an observable test case after some trying.
+
+            * runtime/ArgList.cpp:
+            (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
+            this out from existing code for clarity, but the behavior is the same.
+
+            (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
+
+            (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
+            path. This is faster than the old linear scan, and I think it might
+            avoid cases the old scan could miss.
+
+            * runtime/ArgList.h:
+            (JSC::MarkedArgumentBuffer::append): Account for the case where someone
+            has called clear() or removeLast().
+
+            (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
+            clearer to test the buffers directly instead of inferring what they
+            might be based on capacity.
+
 2016-05-13  Matthew Hanson  <matthew_han...@apple.com>
 
         Merge r196490. rdar://problem/26270811

Modified: branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.cpp (205151 => 205152)


--- branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.cpp	2016-08-29 22:10:09 UTC (rev 205151)
+++ branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.cpp	2016-08-29 22:42:07 UTC (rev 205152)
@@ -30,6 +30,19 @@
 
 namespace JSC {
 
+void MarkedArgumentBuffer::addMarkSet(JSValue v)
+{
+    if (m_markSet)
+        return;
+
+    Heap* heap = Heap::heap(v);
+    if (!heap)
+        return;
+
+    m_markSet = &heap->markListSet();
+    m_markSet->add(this);
+}
+
 void ArgList::getSlice(int startIndex, ArgList& result) const
 {
     if (startIndex <= 0 || startIndex >= m_argCount) {
@@ -51,13 +64,15 @@
     }
 }
 
-void MarkedArgumentBuffer::slowAppend(JSValue v)
+void MarkedArgumentBuffer::expandCapacity()
 {
     int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet();
     size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet();
     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size));
-    for (int i = 0; i < m_capacity; ++i)
+    for (int i = 0; i < m_capacity; ++i) {
         newBuffer[i] = m_buffer[i];
+        addMarkSet(JSValue::decode(m_buffer[i]));
+    }
 
     if (EncodedJSValue* base = mallocBase())
         fastFree(base);
@@ -64,27 +79,16 @@
 
     m_buffer = newBuffer;
     m_capacity = newCapacity;
+}
 
+void MarkedArgumentBuffer::slowAppend(JSValue v)
+{
+    if (m_size >= m_capacity)
+        expandCapacity();
+
     slotFor(m_size) = JSValue::encode(v);
     ++m_size;
-
-    if (m_markSet)
-        return;
-
-    // As long as our size stays within our Vector's inline 
-    // capacity, all our values are allocated on the stack, and 
-    // therefore don't need explicit marking. Once our size exceeds
-    // our Vector's inline capacity, though, our values move to the 
-    // heap, where they do need explicit marking.
-    for (int i = 0; i < m_size; ++i) {
-        Heap* heap = Heap::heap(JSValue::decode(slotFor(i)));
-        if (!heap)
-            continue;
-
-        m_markSet = &heap->markListSet();
-        m_markSet->add(this);
-        break;
-    }
+    addMarkSet(v);
 }
 
 } // namespace JSC

Modified: branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.h (205151 => 205152)


--- branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.h	2016-08-29 22:10:09 UTC (rev 205151)
+++ branches/safari-601-branch/Source/_javascript_Core/runtime/ArgList.h	2016-08-29 22:42:07 UTC (rev 205152)
@@ -78,7 +78,7 @@
 
     void append(JSValue v)
     {
-        if (m_size >= m_capacity)
+        if (m_size >= m_capacity || mallocBase())
             return slowAppend(v);
 
         slotFor(m_size) = JSValue::encode(v);
@@ -100,6 +100,10 @@
     static void markLists(HeapRootVisitor&, ListSet&);
 
 private:
+    void expandCapacity();
+
+    void addMarkSet(JSValue);
+
     JS_EXPORT_PRIVATE void slowAppend(JSValue);
         
     EncodedJSValue& slotFor(int item) const
@@ -109,7 +113,7 @@
         
     EncodedJSValue* mallocBase()
     {
-        if (m_capacity == static_cast<int>(inlineCapacity))
+        if (m_buffer == m_inlineBuffer)
             return 0;
         return &slotFor(0);
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to