Title: [207230] trunk/Source/_javascript_Core
- Revision
- 207230
- Author
- fpi...@apple.com
- Date
- 2016-10-12 12:01:21 -0700 (Wed, 12 Oct 2016)
Log Message
REGRESSION (r207179): ASSERTION FAILED: node.cell != previousCell
https://bugs.webkit.org/show_bug.cgi?id=163337
Reviewed by Mark Lam.
It turns out that HeapSnapshot was not down with revisiting. The concurrent GC is going to be
built around the idea that we can revisit objects many times. This means that any action that
should only take place once per object must check the object's state. This fixes the snapshot
code to do this.
While writing this code, I realized that we're actually doing this check incorrectly, so I
filed bug 163343. That bug requires a race, so we aren't going to see it yet.
* heap/HeapSnapshot.cpp:
(JSC::HeapSnapshot::finalize):
* heap/SlotVisitor.cpp:
(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::visitChildren):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (207229 => 207230)
--- trunk/Source/_javascript_Core/ChangeLog 2016-10-12 18:47:53 UTC (rev 207229)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-10-12 19:01:21 UTC (rev 207230)
@@ -1,3 +1,24 @@
+2016-10-12 Filip Pizlo <fpi...@apple.com>
+
+ REGRESSION (r207179): ASSERTION FAILED: node.cell != previousCell
+ https://bugs.webkit.org/show_bug.cgi?id=163337
+
+ Reviewed by Mark Lam.
+
+ It turns out that HeapSnapshot was not down with revisiting. The concurrent GC is going to be
+ built around the idea that we can revisit objects many times. This means that any action that
+ should only take place once per object must check the object's state. This fixes the snapshot
+ code to do this.
+
+ While writing this code, I realized that we're actually doing this check incorrectly, so I
+ filed bug 163343. That bug requires a race, so we aren't going to see it yet.
+
+ * heap/HeapSnapshot.cpp:
+ (JSC::HeapSnapshot::finalize):
+ * heap/SlotVisitor.cpp:
+ (JSC::SlotVisitor::appendToMarkStack):
+ (JSC::SlotVisitor::visitChildren):
+
2016-10-12 Joseph Pecoraro <pecor...@apple.com>
Web Inspector: Improve support for logging Proxy objects in console
Modified: trunk/Source/_javascript_Core/heap/HeapSnapshot.cpp (207229 => 207230)
--- trunk/Source/_javascript_Core/heap/HeapSnapshot.cpp 2016-10-12 18:47:53 UTC (rev 207229)
+++ trunk/Source/_javascript_Core/heap/HeapSnapshot.cpp 2016-10-12 19:01:21 UTC (rev 207230)
@@ -121,8 +121,10 @@
for (auto& node : m_nodes) {
ASSERT(node.cell);
ASSERT(!(reinterpret_cast<intptr_t>(node.cell) & CellToSweepTag));
- if (previousCell)
+ if (node.cell == previousCell) {
+ dataLog("Seeing same cell twice: ", RawPointer(previousCell), "\n");
ASSERT(node.cell != previousCell);
+ }
previousCell = node.cell;
}
#endif
Modified: trunk/Source/_javascript_Core/heap/SlotVisitor.cpp (207229 => 207230)
--- trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2016-10-12 18:47:53 UTC (rev 207229)
+++ trunk/Source/_javascript_Core/heap/SlotVisitor.cpp 2016-10-12 19:01:21 UTC (rev 207230)
@@ -237,9 +237,6 @@
m_bytesVisited += container.cellSize();
m_stack.append(cell);
-
- if (UNLIKELY(m_heapSnapshotBuilder))
- m_heapSnapshotBuilder->appendNode(cell);
}
void SlotVisitor::markAuxiliary(const void* base)
@@ -319,6 +316,11 @@
cell->methodTable()->visitChildren(const_cast<JSCell*>(cell), *this);
break;
}
+
+ if (UNLIKELY(m_heapSnapshotBuilder)) {
+ if (cell->cellState() != CellState::OldBlack)
+ m_heapSnapshotBuilder->appendNode(const_cast<JSCell*>(cell));
+ }
}
void SlotVisitor::donateKnownParallel()
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
