[webkit-changes] [230414] releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore

[carlosgc]

Title: [230414] releases/WebKitGTK/webkit-2.20/Source/_javascript_Core

Revision

230414

Author

carlo...@webkit.org

Date

2018-04-09 05:59:29 -0700 (Mon, 09 Apr 2018)

Log Message

Merge r229962 - r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
https://bugs.webkit.org/show_bug.cgi?id=183995

Reviewed by Filip Pizlo.

The removal of this line of code was unintended and happened during some
refactoring Fil was doing. The consequence of removing this line of code
is that the m_emptyCursor became a monotonically increasing integer, leading
the cursor to usually being out of bounds of the block range (depending on
what the program is doing). This made the functionality of finding an empty
block to steal almost always fail.

* heap/BlockDirectory.cpp:
(JSC::BlockDirectory::prepareForAllocation):

Modified Paths

• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/heap/BlockDirectory.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (230413 => 230414)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-04-09 12:59:23 UTC (rev 230413)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-04-09 12:59:29 UTC (rev 230414)
@@ -1,3 +1,20 @@
+2018-03-25  Saam Barati  <sbar...@apple.com>
+
+        r228149 accidentally removed code that resets m_emptyCursor at the end of a GC
+        https://bugs.webkit.org/show_bug.cgi?id=183995
+
+        Reviewed by Filip Pizlo.
+
+        The removal of this line of code was unintended and happened during some
+        refactoring Fil was doing. The consequence of removing this line of code
+        is that the m_emptyCursor became a monotonically increasing integer, leading
+        the cursor to usually being out of bounds of the block range (depending on
+        what the program is doing). This made the functionality of finding an empty
+        block to steal almost always fail.
+
+        * heap/BlockDirectory.cpp:
+        (JSC::BlockDirectory::prepareForAllocation):
+
 2018-03-22  Michael Saboff  <msab...@apple.com>
 
         Race Condition in arrayProtoFuncReverse() causes wrong results or crash

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/heap/BlockDirectory.cpp (230413 => 230414)

--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/heap/BlockDirectory.cpp	2018-04-09 12:59:23 UTC (rev 230413)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/heap/BlockDirectory.cpp	2018-04-09 12:59:29 UTC (rev 230414)
@@ -191,6 +191,7 @@
         });
     
     m_unsweptCursor = 0;
+    m_emptyCursor = 0;
     
     m_eden.clearAll();
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes