Title: [258479] trunk/Source/_javascript_Core
- Revision
- 258479
- Author
- [email protected]
- Date
- 2020-03-15 03:51:04 -0700 (Sun, 15 Mar 2020)
Log Message
reportZappedCellAndCrash should handle PreciseAllocation in IsoSubspace
https://bugs.webkit.org/show_bug.cgi?id=209042
Reviewed by Mark Lam.
This patch adds support of PreciseAllocation cells to reportZappedCellAndCrash, since now it is frequently used
as a lower-tier cells in IsoSubspace.
* heap/IsoSubspace.h:
* heap/IsoSubspaceInlines.h:
(JSC::IsoSubspace::forEachLowerTierFreeListedPreciseAllocation):
* runtime/JSCell.cpp:
(JSC::reportZappedCellAndCrash):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (258478 => 258479)
--- trunk/Source/_javascript_Core/ChangeLog 2020-03-15 10:16:52 UTC (rev 258478)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-03-15 10:51:04 UTC (rev 258479)
@@ -1,5 +1,21 @@
2020-03-15 Yusuke Suzuki <[email protected]>
+ reportZappedCellAndCrash should handle PreciseAllocation in IsoSubspace
+ https://bugs.webkit.org/show_bug.cgi?id=209042
+
+ Reviewed by Mark Lam.
+
+ This patch adds support of PreciseAllocation cells to reportZappedCellAndCrash, since now it is frequently used
+ as a lower-tier cells in IsoSubspace.
+
+ * heap/IsoSubspace.h:
+ * heap/IsoSubspaceInlines.h:
+ (JSC::IsoSubspace::forEachLowerTierFreeListedPreciseAllocation):
+ * runtime/JSCell.cpp:
+ (JSC::reportZappedCellAndCrash):
+
+2020-03-15 Yusuke Suzuki <[email protected]>
+
Should not use variable-length-array (VLA)
https://bugs.webkit.org/show_bug.cgi?id=209043
Modified: trunk/Source/_javascript_Core/heap/IsoSubspace.h (258478 => 258479)
--- trunk/Source/_javascript_Core/heap/IsoSubspace.h 2020-03-15 10:16:52 UTC (rev 258478)
+++ trunk/Source/_javascript_Core/heap/IsoSubspace.h 2020-03-15 10:51:04 UTC (rev 258479)
@@ -56,6 +56,8 @@
void sweep();
+ template<typename Func> void forEachLowerTierFreeListedPreciseAllocation(const Func&);
+
private:
friend class IsoCellSet;
Modified: trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h (258478 => 258479)
--- trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h 2020-03-15 10:16:52 UTC (rev 258478)
+++ trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h 2020-03-15 10:51:04 UTC (rev 258479)
@@ -54,5 +54,11 @@
});
}
+template<typename Func>
+void IsoSubspace::forEachLowerTierFreeListedPreciseAllocation(const Func& func)
+{
+ m_lowerTierFreeList.forEach(func);
+}
+
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSCell.cpp (258478 => 258479)
--- trunk/Source/_javascript_Core/runtime/JSCell.cpp 2020-03-15 10:16:52 UTC (rev 258478)
+++ trunk/Source/_javascript_Core/runtime/JSCell.cpp 2020-03-15 10:51:04 UTC (rev 258479)
@@ -25,6 +25,7 @@
#include "ArrayBufferView.h"
#include "BlockDirectoryInlines.h"
+#include "IsoSubspaceInlines.h"
#include "JSCInlines.h"
#include "JSCast.h"
#include "JSFunction.h"
@@ -32,6 +33,7 @@
#include "JSObject.h"
#include "MarkedBlockInlines.h"
#include "NumberObject.h"
+#include "SubspaceInlines.h"
#include <wtf/LockAlgorithmInlines.h>
#include <wtf/MathExtras.h>
@@ -330,7 +332,7 @@
unsigned subspaceHash = 0;
size_t cellSize = 0;
- heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* blockHandle) {
+ heap.objectSpace().forEachBlock([&](MarkedBlock::Handle* blockHandle) {
if (blockHandle->contains(bitwise_cast<JSCell*>(cell))) {
foundBlockHandle = blockHandle;
return IterationStatus::Done;
@@ -354,6 +356,43 @@
ptrdiff_t cellOffset = cellAddress - reinterpret_cast<uint64_t>(foundBlockHandle->start());
bool cellIsProperlyAligned = !(cellOffset % cellSize);
variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5;
+ } else {
+ bool isFreeListed = false;
+ PreciseAllocation* foundPreciseAllocation = nullptr;
+ heap.objectSpace().forEachSubspace([&](Subspace& subspace) {
+ subspace.forEachPreciseAllocation([&](PreciseAllocation* allocation) {
+ if (allocation->contains(cell))
+ foundPreciseAllocation = allocation;
+ });
+ if (foundPreciseAllocation)
+ return IterationStatus::Done;
+
+ if (subspace.isIsoSubspace()) {
+ static_cast<IsoSubspace&>(subspace).forEachLowerTierFreeListedPreciseAllocation([&](PreciseAllocation* allocation) {
+ if (allocation->contains(cell)) {
+ foundPreciseAllocation = allocation;
+ isFreeListed = true;
+ }
+ });
+ }
+ if (foundPreciseAllocation)
+ return IterationStatus::Done;
+ return IterationStatus::Continue;
+ });
+ if (foundPreciseAllocation) {
+ subspaceHash = StringHasher::computeHash(foundPreciseAllocation->subspace()->name());
+ cellSize = foundPreciseAllocation->cellSize();
+
+ variousState |= static_cast<uint64_t>(isFreeListed) << 0;
+ variousState |= static_cast<uint64_t>(!isFreeListed) << 1;
+ variousState |= static_cast<uint64_t>(foundPreciseAllocation->subspace()->attributes().destruction == NeedsDestruction) << 3;
+ if (!isFreeListed) {
+ variousState |= static_cast<uint64_t>(foundPreciseAllocation->isEmpty()) << 2;
+ variousState |= static_cast<uint64_t>(foundPreciseAllocation->isNewlyAllocated()) << 4;
+ }
+ bool cellIsProperlyAligned = foundPreciseAllocation->cell() == cell;
+ variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5;
+ }
}
CRASH_WITH_INFO(cellAddress, headerWord, zapReasonAndMore, subspaceHash, cellSize, foundBlock, variousState);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
