Title: [249345] trunk/Source/_javascript_Core
- Revision
- 249345
- Author
- mark....@apple.com
- Date
- 2019-08-30 14:18:16 -0700 (Fri, 30 Aug 2019)
Log Message
Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
https://bugs.webkit.org/show_bug.cgi?id=201345
Reviewed by Yusuke Suzuki.
This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
the wrong pointer for capture the cell headerWord and zapReason. As a result,
we get junk for those 2 values.
Previously, we were only capturing the upper 32-bits of the cell header slot,
and the lower 32-bit of the next slot in the zapped cell. We now capture the
full 64-bits of both slots. If the second slot did not contain a zapReason as we
expect, the upper 32-bits might give us a clue as to what type of value the slot
contains.
This patch also adds capturing of the found MarkedBlock address for the zapped
cell, as well as some state bit values.
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::reportZappedCellAndCrash):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (249344 => 249345)
--- trunk/Source/_javascript_Core/ChangeLog 2019-08-30 20:33:44 UTC (rev 249344)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-08-30 21:18:16 UTC (rev 249345)
@@ -1,3 +1,26 @@
+2019-08-30 Mark Lam <mark....@apple.com>
+
+ Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
+ https://bugs.webkit.org/show_bug.cgi?id=201345
+
+ Reviewed by Yusuke Suzuki.
+
+ This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
+ the wrong pointer for capture the cell headerWord and zapReason. As a result,
+ we get junk for those 2 values.
+
+ Previously, we were only capturing the upper 32-bits of the cell header slot,
+ and the lower 32-bit of the next slot in the zapped cell. We now capture the
+ full 64-bits of both slots. If the second slot did not contain a zapReason as we
+ expect, the upper 32-bits might give us a clue as to what type of value the slot
+ contains.
+
+ This patch also adds capturing of the found MarkedBlock address for the zapped
+ cell, as well as some state bit values.
+
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::reportZappedCellAndCrash):
+
2019-08-30 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Generate new.target register only when it is used
Modified: trunk/Source/_javascript_Core/heap/SlotVisitor.cpp (249344 => 249345)
--- trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2019-08-30 20:33:44 UTC (rev 249344)
+++ trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2019-08-30 21:18:16 UTC (rev 249345)
@@ -38,6 +38,7 @@
#include "JSObject.h"
#include "JSString.h"
#include "JSCInlines.h"
+#include "MarkedBlockInlines.h"
#include "MarkingConstraintSolver.h"
#include "SlotVisitorInlines.h"
#include "StopIfNecessaryTimer.h"
@@ -45,6 +46,7 @@
#include "VM.h"
#include <wtf/ListDump.h>
#include <wtf/Lock.h>
+#include <wtf/StdLibExtras.h>
namespace JSC {
@@ -825,29 +827,42 @@
#if CPU(X86_64)
NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void SlotVisitor::reportZappedCellAndCrash(JSCell* cell)
{
- MarkedBlock::Handle* foundBlock = nullptr;
- uint32_t* cellWords = reinterpret_cast_ptr<uint32_t*>(this);
+ MarkedBlock::Handle* foundBlockHandle = nullptr;
+ uint64_t* cellWords = reinterpret_cast_ptr<uint64_t*>(cell);
uintptr_t cellAddress = bitwise_cast<uintptr_t>(cell);
- uintptr_t headerWord = cellWords[1];
- uintptr_t zapReason = cellWords[2];
+ uint64_t headerWord = cellWords[0];
+ uint64_t zapReasonAndMore = cellWords[1];
unsigned subspaceHash = 0;
size_t cellSize = 0;
- m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* block) {
- if (block->contains(cell)) {
- foundBlock = block;
+ m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* blockHandle) {
+ if (blockHandle->contains(cell)) {
+ foundBlockHandle = blockHandle;
return IterationStatus::Done;
}
return IterationStatus::Continue;
});
- if (foundBlock) {
- subspaceHash = StringHasher::computeHash(foundBlock->subspace()->name());
- cellSize = foundBlock->cellSize();
+ uint64_t variousState = 0;
+ MarkedBlock* foundBlock = nullptr;
+ if (foundBlockHandle) {
+ foundBlock = &foundBlockHandle->block();
+ subspaceHash = StringHasher::computeHash(foundBlockHandle->subspace()->name());
+ cellSize = foundBlockHandle->cellSize();
+
+ variousState |= static_cast<uint64_t>(foundBlockHandle->isFreeListed()) << 0;
+ variousState |= static_cast<uint64_t>(foundBlockHandle->isAllocated()) << 1;
+ variousState |= static_cast<uint64_t>(foundBlockHandle->isEmpty()) << 2;
+ variousState |= static_cast<uint64_t>(foundBlockHandle->needsDestruction()) << 3;
+ variousState |= static_cast<uint64_t>(foundBlock->isNewlyAllocated(cell)) << 4;
+
+ ptrdiff_t cellOffset = cellAddress - reinterpret_cast<uint64_t>(foundBlockHandle->start());
+ bool cellIsProperlyAligned = !(cellOffset % cellSize);
+ variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5;
}
- CRASH_WITH_INFO(cellAddress, headerWord, zapReason, subspaceHash, cellSize);
+ CRASH_WITH_INFO(cellAddress, headerWord, zapReasonAndMore, subspaceHash, cellSize, foundBlock, variousState);
}
#endif // PLATFORM(MAC)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
