Skip to site navigation (Press enter)

[webkit-changes] [98302] trunk/Source/JavaScriptCore

oliver Mon, 24 Oct 2011 17:20:29 -0700

Title: [98302] trunk/Source/_javascript_Core

Revision: 98302
Author: [email protected]
Date: 2011-10-24 17:21:29 -0700 (Mon, 24 Oct 2011)

Log Message

Crash in void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
https://bugs.webkit.org/show_bug.cgi?id=70689


Reviewed by Filip Pizlo.

While performing codegen we need to make the GlobalData explicitly
aware of the codeblock being compiled, as compilation may trigger GC
and CodeBlock holds GC values, but has not yet been assigned to its
owner executable.

* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::BytecodeGenerator):
(JSC::BytecodeGenerator::~BytecodeGenerator):
* bytecompiler/BytecodeGenerator.h:
* heap/AllocationSpace.cpp:
(JSC::AllocationSpace::allocateSlowCase):
* heap/Heap.cpp:
(JSC::Heap::markRoots):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
* runtime/JSGlobalData.h:
(JSC::JSGlobalData::startedCompiling):
(JSC::JSGlobalData::finishedCompiling):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp
trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h
trunk/Source/_javascript_Core/heap/AllocationSpace.cpp
trunk/Source/_javascript_Core/heap/Heap.cpp
trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp
trunk/Source/_javascript_Core/runtime/JSGlobalData.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (98301 => 98302)


--- trunk/Source/_javascript_Core/ChangeLog	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-10-25 00:21:29 UTC (rev 98302)
@@ -1,3 +1,29 @@
+2011-10-24  Oliver Hunt  <[email protected]>
+
+        Crash in void JSC::validateCell<JSC::RegExp*>(JSC::RegExp*)
+        https://bugs.webkit.org/show_bug.cgi?id=70689
+
+        Reviewed by Filip Pizlo.
+
+        While performing codegen we need to make the GlobalData explicitly
+        aware of the codeblock being compiled, as compilation may trigger GC
+        and CodeBlock holds GC values, but has not yet been assigned to its
+        owner executable.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::BytecodeGenerator):
+        (JSC::BytecodeGenerator::~BytecodeGenerator):
+        * bytecompiler/BytecodeGenerator.h:
+        * heap/AllocationSpace.cpp:
+        (JSC::AllocationSpace::allocateSlowCase):
+        * heap/Heap.cpp:
+        (JSC::Heap::markRoots):
+        * runtime/JSGlobalData.cpp:
+        (JSC::JSGlobalData::JSGlobalData):
+        * runtime/JSGlobalData.h:
+        (JSC::JSGlobalData::startedCompiling):
+        (JSC::JSGlobalData::finishedCompiling):
+
 2011-10-24  Filip Pizlo  <[email protected]>
 
         Object-or-other branch speculation may corrupt the state for OSR if the child of the

Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp (98301 => 98302)


--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.cpp	2011-10-25 00:21:29 UTC (rev 98302)
@@ -219,6 +219,7 @@
     , m_usesExceptions(false)
     , m_expressionTooDeep(false)
 {
+    m_globalData->startedCompiling(m_codeBlock);
     if (m_shouldEmitDebugHooks)
         m_codeBlock->setNeedsFullScopeChain(true);
 
@@ -289,6 +290,7 @@
     , m_usesExceptions(false)
     , m_expressionTooDeep(false)
 {
+    m_globalData->startedCompiling(m_codeBlock);
     if (m_shouldEmitDebugHooks)
         m_codeBlock->setNeedsFullScopeChain(true);
 
@@ -450,6 +452,7 @@
     , m_usesExceptions(false)
     , m_expressionTooDeep(false)
 {
+    m_globalData->startedCompiling(m_codeBlock);
     if (m_shouldEmitDebugHooks || m_baseScopeDepth)
         m_codeBlock->setNeedsFullScopeChain(true);
 
@@ -472,6 +475,11 @@
     preserveLastVar();
 }
 
+BytecodeGenerator::~BytecodeGenerator()
+{
+    m_globalData->finishedCompiling(m_codeBlock);
+}
+
 RegisterID* BytecodeGenerator::emitInitLazyRegister(RegisterID* reg)
 {
     emitOpcode(op_init_lazy_reg);

Modified: trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h (98301 => 98302)


--- trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/bytecompiler/BytecodeGenerator.h	2011-10-25 00:21:29 UTC (rev 98302)
@@ -96,6 +96,8 @@
         BytecodeGenerator(FunctionBodyNode*, ScopeChainNode*, SymbolTable*, CodeBlock*, CompilationKind);
         BytecodeGenerator(EvalNode*, ScopeChainNode*, SymbolTable*, EvalCodeBlock*, CompilationKind);
 
+        ~BytecodeGenerator();
+        
         JSGlobalData* globalData() const { return m_globalData; }
         const CommonIdentifiers& propertyNames() const { return *m_globalData->propertyNames; }

Modified: trunk/Source/_javascript_Core/heap/AllocationSpace.cpp (98301 => 98302)


--- trunk/Source/_javascript_Core/heap/AllocationSpace.cpp	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/heap/AllocationSpace.cpp	2011-10-25 00:21:29 UTC (rev 98302)
@@ -44,7 +44,7 @@
 void* AllocationSpace::allocateSlowCase(MarkedSpace::SizeClass& sizeClass)
 {
 #if COLLECT_ON_EVERY_ALLOCATION
-    collectAllGarbage();
+    m_heap->collectAllGarbage();
     ASSERT(m_heap->m_operationInProgress == NoOperation);
 #endif

Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (98301 => 98302)


--- trunk/Source/_javascript_Core/heap/Heap.cpp	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp	2011-10-25 00:21:29 UTC (rev 98302)
@@ -600,7 +600,12 @@
         }
     }
 #endif
-
+    
+    if (CodeBlock* codeBlock = m_globalData->codeBlockBeingCompiled) {
+        GCPHASE(VisitActiveCodeBlock);
+        codeBlock->visitAggregate(visitor);
+    }
+    
     {
         GCPHASE(VisitMachineRoots);
         visitor.append(machineThreadRoots);

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp (98301 => 98302)


--- trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp	2011-10-25 00:21:29 UTC (rev 98302)
@@ -179,6 +179,7 @@
     , identifierTable(globalDataType == Default ? wtfThreadData().currentIdentifierTable() : createIdentifierTable())
     , propertyNames(new CommonIdentifiers(this))
     , emptyList(new MarkedArgumentBuffer)
+    , codeBlockBeingCompiled(0)
 #if ENABLE(ASSEMBLER)
     , executableAllocator(*this)
 #endif

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.h (98301 => 98302)


--- trunk/Source/_javascript_Core/runtime/JSGlobalData.h	2011-10-25 00:19:30 UTC (rev 98301)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.h	2011-10-25 00:21:29 UTC (rev 98302)
@@ -188,7 +188,19 @@
         SmallStrings smallStrings;
         NumericStrings numericStrings;
         DateInstanceCache dateInstanceCache;
-        
+        CodeBlock* codeBlockBeingCompiled;
+        void startedCompiling(CodeBlock* codeBlock)
+        {
+            ASSERT(!codeBlockBeingCompiled);
+            codeBlockBeingCompiled = codeBlock;
+        }
+
+        void finishedCompiling(CodeBlock* codeBlock)
+        {
+            ASSERT_UNUSED(codeBlock, codeBlock == codeBlockBeingCompiled);
+            codeBlockBeingCompiled = 0;
+        }
+
 #if ENABLE(ASSEMBLER)
         ExecutableAllocator executableAllocator;
 #endif

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes