Title: [233346] trunk/Source/_javascript_Core
- Revision
- 233346
- Author
- msab...@apple.com
- Date
- 2018-06-28 18:37:38 -0700 (Thu, 28 Jun 2018)
Log Message
IsoCellSet::sweepToFreeList() not safe when Full GC in process
https://bugs.webkit.org/show_bug.cgi?id=187157
Reviewed by Mark Lam.
* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
is in MarkedBlock::Handle::specializedSweep where it takes into account whether
or not we are in the process of marking during a full GC.
* heap/MarkedBlock.h:
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (233345 => 233346)
--- trunk/Source/_javascript_Core/ChangeLog 2018-06-29 01:19:51 UTC (rev 233345)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-06-29 01:37:38 UTC (rev 233346)
@@ -1,3 +1,18 @@
+2018-06-28 Michael Saboff <msab...@apple.com>
+
+ IsoCellSet::sweepToFreeList() not safe when Full GC in process
+ https://bugs.webkit.org/show_bug.cgi?id=187157
+
+ Reviewed by Mark Lam.
+
+ * heap/IsoCellSet.cpp:
+ (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
+ is in MarkedBlock::Handle::specializedSweep where it takes into account whether
+ or not we are in the process of marking during a full GC.
+ * heap/MarkedBlock.h:
+ * heap/MarkedBlockInlines.h:
+ (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
+
2018-06-27 Saam Barati <sbar...@apple.com>
Add some more register state information when we crash in repatchPutById
Modified: trunk/Source/_javascript_Core/heap/IsoCellSet.cpp (233345 => 233346)
--- trunk/Source/_javascript_Core/heap/IsoCellSet.cpp 2018-06-29 01:19:51 UTC (rev 233345)
+++ trunk/Source/_javascript_Core/heap/IsoCellSet.cpp 2018-06-29 01:37:38 UTC (rev 233346)
@@ -127,11 +127,12 @@
}
if (block->block().hasAnyNewlyAllocated()) {
+ // The newlyAllocated() bits are a superset of the marks() bits.
m_bits[block->index()]->concurrentFilter(block->block().newlyAllocated());
return;
}
- if (block->isEmpty() || block->areMarksStale()) {
+ if (block->isEmpty() || block->areMarksStaleForSweep()) {
{
// Holding the bitvector lock happens to be enough because that's what we also hold in
// other places where we manipulate this bitvector.
Modified: trunk/Source/_javascript_Core/heap/MarkedBlock.h (233345 => 233346)
--- trunk/Source/_javascript_Core/heap/MarkedBlock.h 2018-06-29 01:19:51 UTC (rev 233345)
+++ trunk/Source/_javascript_Core/heap/MarkedBlock.h 2018-06-29 01:37:38 UTC (rev 233346)
@@ -187,6 +187,7 @@
template <typename Functor> inline IterationStatus forEachMarkedCell(const Functor&);
JS_EXPORT_PRIVATE bool areMarksStale();
+ bool areMarksStaleForSweep();
void assertMarksNotStale();
Modified: trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h (233345 => 233346)
--- trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h 2018-06-29 01:19:51 UTC (rev 233345)
+++ trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h 2018-06-29 01:37:38 UTC (rev 233346)
@@ -203,6 +203,11 @@
return isLiveCell(space()->markingVersion(), space()->newlyAllocatedVersion(), space()->isMarking(), p);
}
+inline bool MarkedBlock::Handle::areMarksStaleForSweep()
+{
+ return marksMode() == MarksStale;
+}
+
// The following has to be true for specialization to kick in:
//
// sweepMode == SweepToFreeList
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
