Branch: refs/heads/webkitglib/2.52
Home: https://github.com/WebKit/WebKit
Commit: 5428ad1ad2f246f5b61fce4a7b6a9ba7a5c491e9
https://github.com/WebKit/WebKit/commit/5428ad1ad2f246f5b61fce4a7b6a9ba7a5c491e9
Author: Keith Miller <[email protected]>
Date: 2026-06-01 (Mon, 01 Jun 2026)
Changed paths:
A JSTests/stress/stringProtoFuncAt-GCOwnedDataScope-atomstring-swap.js
A JSTests/stress/stringProtoFuncEndsWith-GCOwnedDataScope-atomstring-swap.js
A
JSTests/stress/stringProtoFuncLocaleCompare-GCOwnedDataScope-atomstring-swap.js
A
JSTests/stress/stringProtoFuncStartsWith-GCOwnedDataScope-atomstring-swap.js
M Source/JavaScriptCore/heap/ConservativeRoots.cpp
M Source/JavaScriptCore/heap/GCOwnedDataScope.h
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/heap/Heap.h
M Source/JavaScriptCore/heap/IncrementalSweeper.cpp
M Source/JavaScriptCore/jit/JITWorklist.cpp
M Source/JavaScriptCore/jit/JITWorklist.h
M Source/JavaScriptCore/runtime/JSString.h
M Source/WTF/wtf/Forward.h
M Source/WTF/wtf/SegmentedVector.h
Log Message:
-----------
Cherry-pick 305413.614@safari-7624-branch (ffdd4a695d15).
https://bugs.webkit.org/show_bug.cgi?id=311420
Heap needs to protect swaped JSString Impls for GCOwnedDataScope
https://bugs.webkit.org/show_bug.cgi?id=311420
rdar://172467032
Reviewed by Yusuke Suzuki and Dan Hecht.
When JSString::swapToAtomString replaces a StringImpl with its atomized
equivalent, the old StringImpl was kept alive only until the next GC
via
Heap::m_possiblyAccessedStringsFromConcurrentThreads. However if a
GCOwnedDataScope is on the stack it's possible for the buffer to get
freed before the ~GCOwnedDataScope runs, leaving the buffer as a
dangling pointer.
Fix this by:
1. Renaming m_possiblyAccessedStringsFromConcurrentThreads to
m_possiblyAccessedStringsFromConcurrentThreadsOrGCOwnedDataScope and
storing (JSString*, String) pairs so we can track ownership.
2. During conservative root scanning, discover all JSStrings that are
still referenced on the stack and record them in
m_discoveredAccessedStringsFromGCOwnedDataScope.
3. At GC finalize, pruning entries whose JSString was not discovered on
the stack rather than clearing the list entirely.
4. Between GCs, clearing the retained list in IncrementalSweeper when
no JS is executing and no JIT compilations are in progress.
Previously the list was only cleared during GC finalize, so it could
grow unboundedly between collections. Without this Speedometer
appeared to be regressed, with this it seems like a .2% progression.
5. Switching from Vector to SegmentedVector with a new doubling growth
policy to avoid copying entries when resizing the Vector. Since this
list gets very big 200,000+ entries, avoiding copies is valuable.
Tests: JSTests/stress/stringProtoFuncAt-GCOwnedDataScope-atomstring-swap.js
JSTests/stress/stringProtoFuncEndsWith-GCOwnedDataScope-atomstring-swap.js
JSTests/stress/stringProtoFuncLocaleCompare-GCOwnedDataScope-atomstring-swap.js
JSTests/stress/stringProtoFuncStartsWith-GCOwnedDataScope-atomstring-swap.js
Identifier: 305413.614@safari-7624-branch
Canonical link: https://commits.webkit.org/305877.694@webkitglib/2.52
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
