Title: [295624] trunk/Source/_javascript_Core
- Revision
- 295624
- Author
- [email protected]
- Date
- 2022-06-16 19:20:29 -0700 (Thu, 16 Jun 2022)
Log Message
The extraMemorySize() get wrong when transferring ArrayBuffer from Worker VM
https://bugs.webkit.org/show_bug.cgi?id=241559
Reviewed by Yusuke Suzuki.
When ArrayBuffer is passed in the transfer option of postMessage(), the size cached in
heap.m_arrayBuffers get incorrect and that makes extraMemorySize() bigger than actual
managed size.
This patch added the code to reduce size from GCIncomingRefCountedSet.m_bytes when
ArrayBuffer is actually transferring from VM.
Also for verification, added a simple check code in GCIncomingRefCountedSet.addReference
with constexpr flag.
* Source/_javascript_Core/heap/GCIncomingRefCountedSet.h:
* Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h:
(JSC::GCIncomingRefCountedSet<T>::sweep):
(JSC::GCIncomingRefCountedSet<T>::reduceSize):
* Source/_javascript_Core/heap/Heap.cpp:
(JSC::Heap::reduceArrayBufferSize):
* Source/_javascript_Core/heap/Heap.h:
* Source/_javascript_Core/runtime/ArrayBuffer.cpp:
(JSC::ArrayBuffer::transferTo):
Canonical link: https://commits.webkit.org/251629@main
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h (295623 => 295624)
--- trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h 2022-06-17 02:17:50 UTC (rev 295623)
+++ trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSet.h 2022-06-17 02:20:29 UTC (rev 295624)
@@ -44,6 +44,7 @@
void sweep(VM&);
size_t size() const { return m_bytes; };
+ void reduceSize(size_t);
private:
Vector<T*> m_vector;
Modified: trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h (295623 => 295624)
--- trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h 2022-06-17 02:17:50 UTC (rev 295623)
+++ trunk/Source/_javascript_Core/heap/GCIncomingRefCountedSetInlines.h 2022-06-17 02:20:29 UTC (rev 295624)
@@ -72,6 +72,23 @@
m_vector[i--] = m_vector.last();
m_vector.removeLast();
}
+
+ constexpr bool verify = false;
+ if constexpr (verify) {
+ CheckedSize size;
+ for (size_t i = m_vector.size(); i--;) {
+ T* object = m_vector[i];
+ size += object->gcSizeEstimateInBytes();
+ }
+ ASSERT(m_bytes == size);
+ }
}
+template<typename T>
+void GCIncomingRefCountedSet<T>::reduceSize(size_t bytes)
+{
+ ASSERT(m_bytes >= bytes);
+ m_bytes -= bytes;
+}
+
} // namespace JSC
Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (295623 => 295624)
--- trunk/Source/_javascript_Core/heap/Heap.cpp 2022-06-17 02:17:50 UTC (rev 295623)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp 2022-06-17 02:20:29 UTC (rev 295624)
@@ -659,6 +659,11 @@
}
}
+void Heap::reduceArrayBufferSize(size_t bytes)
+{
+ m_arrayBuffers.reduceSize(bytes);
+}
+
template<typename CellType, typename CellSet>
void Heap::finalizeMarkedUnconditionalFinalizers(CellSet& cellSet)
{
Modified: trunk/Source/_javascript_Core/heap/Heap.h (295623 => 295624)
--- trunk/Source/_javascript_Core/heap/Heap.h 2022-06-17 02:17:50 UTC (rev 295623)
+++ trunk/Source/_javascript_Core/heap/Heap.h 2022-06-17 02:20:29 UTC (rev 295624)
@@ -439,6 +439,7 @@
const JITStubRoutineSet& jitStubRoutines() { return *m_jitStubRoutines; }
void addReference(JSCell*, ArrayBuffer*);
+ void reduceArrayBufferSize(size_t bytes);
bool isDeferred() const { return !!m_deferralDepth; }
Modified: trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp (295623 => 295624)
--- trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-06-17 02:17:50 UTC (rev 295623)
+++ trunk/Source/_javascript_Core/runtime/ArrayBuffer.cpp 2022-06-17 02:20:29 UTC (rev 295624)
@@ -303,8 +303,11 @@
return true;
}
+ CheckedSize sizeReduced { gcSizeEstimateInBytes() };
result = WTFMove(m_contents);
notifyDetaching(vm);
+ sizeReduced -= gcSizeEstimateInBytes();
+ vm.heap.reduceArrayBufferSize(sizeReduced);
return true;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
