[webkit-changes] [204628] branches/safari-601.1.46-branch/Source/JavaScriptCore

Thu, 18 Aug 2016 22:42:07 -0700

Title: [204628] branches/safari-601.1.46-branch/Source/_javascript_Core

Diff

Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog (204627 => 204628)


--- branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog	2016-08-19 03:07:15 UTC (rev 204627)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog	2016-08-19 05:42:03 UTC (rev 204628)
@@ -1,3 +1,35 @@
+2016-08-18  Babak Shafiei  <[email protected]>
+
+        Merge r204572.
+
+    2016-08-17  Geoffrey Garen  <[email protected]>
+
+            Fixed a potential bug in MarkedArgumentBuffer.
+            https://bugs.webkit.org/show_bug.cgi?id=160948
+            <rdar://problem/27889416>
+
+            Reviewed by Oliver Hunt.
+
+            I haven't been able to produce an observable test case after some trying.
+
+            * runtime/ArgList.cpp:
+            (JSC::MarkedArgumentBuffer::addMarkSet): New helper function -- I broke
+            this out from existing code for clarity, but the behavior is the same.
+
+            (JSC::MarkedArgumentBuffer::expandCapacity): Ditto.
+
+            (JSC::MarkedArgumentBuffer::slowAppend): Always addMarkSet() on the slow
+            path. This is faster than the old linear scan, and I think it might
+            avoid cases the old scan could miss.
+
+            * runtime/ArgList.h:
+            (JSC::MarkedArgumentBuffer::append): Account for the case where someone
+            has called clear() or removeLast().
+
+            (JSC::MarkedArgumentBuffer::mallocBase): No behavior change -- but it's
+            clearer to test the buffers directly instead of inferring what they
+            might be based on capacity.
+
 2016-05-18  Babak Shafiei  <[email protected]>
 
         Merge patch for rdar://problem/26350121.

Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArgList.cpp (204627 => 204628)


--- branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArgList.cpp	2016-08-19 03:07:15 UTC (rev 204627)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArgList.cpp	2016-08-19 05:42:03 UTC (rev 204628)
@@ -30,6 +30,19 @@
 
 namespace JSC {
 
+void MarkedArgumentBuffer::addMarkSet(JSValue v)
+{
+    if (m_markSet)
+        return;
+
+    Heap* heap = Heap::heap(v);
+    if (!heap)
+        return;
+
+    m_markSet = &heap->markListSet();
+    m_markSet->add(this);
+}
+
 void ArgList::getSlice(int startIndex, ArgList& result) const
 {
     if (startIndex <= 0 || startIndex >= m_argCount) {
@@ -51,13 +64,15 @@
     }
 }
 
-void MarkedArgumentBuffer::slowAppend(JSValue v)
+void MarkedArgumentBuffer::expandCapacity()
 {
     int newCapacity = (Checked<int>(m_capacity) * 2).unsafeGet();
     size_t size = (Checked<size_t>(newCapacity) * sizeof(EncodedJSValue)).unsafeGet();
     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(fastMalloc(size));
-    for (int i = 0; i < m_capacity; ++i)
+    for (int i = 0; i < m_capacity; ++i) {
         newBuffer[i] = m_buffer[i];
+        addMarkSet(JSValue::decode(m_buffer[i]));
+    }
 
     if (EncodedJSValue* base = mallocBase())
         fastFree(base);
@@ -64,27 +79,16 @@
 
     m_buffer = newBuffer;
     m_capacity = newCapacity;
+}
 
+void MarkedArgumentBuffer::slowAppend(JSValue v)
+{
+    if (m_size >= m_capacity)
+        expandCapacity();
+
     slotFor(m_size) = JSValue::encode(v);
     ++m_size;
-
-    if (m_markSet)
-        return;
-
-    // As long as our size stays within our Vector's inline 
-    // capacity, all our values are allocated on the stack, and 
-    // therefore don't need explicit marking. Once our size exceeds
-    // our Vector's inline capacity, though, our values move to the 
-    // heap, where they do need explicit marking.
-    for (int i = 0; i < m_size; ++i) {
-        Heap* heap = Heap::heap(JSValue::decode(slotFor(i)));
-        if (!heap)
-            continue;
-
-        m_markSet = &heap->markListSet();
-        m_markSet->add(this);
-        break;
-    }
+    addMarkSet(v);
 }
 
 } // namespace JSC

Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArgList.h (204627 => 204628)


--- branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArgList.h	2016-08-19 03:07:15 UTC (rev 204627)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/runtime/ArgList.h	2016-08-19 05:42:03 UTC (rev 204628)
@@ -78,7 +78,7 @@
 
     void append(JSValue v)
     {
-        if (m_size >= m_capacity)
+        if (m_size >= m_capacity || mallocBase())
             return slowAppend(v);
 
         slotFor(m_size) = JSValue::encode(v);
@@ -100,6 +100,10 @@
     static void markLists(HeapRootVisitor&, ListSet&);
 
 private:
+    void expandCapacity();
+
+    void addMarkSet(JSValue);
+
     JS_EXPORT_PRIVATE void slowAppend(JSValue);
         
     EncodedJSValue& slotFor(int item) const
@@ -109,7 +113,7 @@
         
     EncodedJSValue* mallocBase()
     {
-        if (m_capacity == static_cast<int>(inlineCapacity))
+        if (m_buffer == m_inlineBuffer)
             return 0;
         return &slotFor(0);
     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to