[webkit-changes] [205718] releases/WebKitGTK/webkit-2.14/Source/JavaScriptCore

[carlosgc]

Title: [205718] releases/WebKitGTK/webkit-2.14/Source/_javascript_Core

Revision

205718

Author

carlo...@webkit.org

Date

2016-09-09 02:15:48 -0700 (Fri, 09 Sep 2016)

Log Message

Merge r205466 - Heap::isMarked() should use concurrent lazy flipping
https://bugs.webkit.org/show_bug.cgi?id=161613

Reviewed by Michael Catanzaro.

I found out about this race condition via
https://bugs.webkit.org/show_bug.cgi?id=160125#c233.

The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
phase. So, they need to lazy-flip in a non-racy way.

* heap/HeapInlines.h:
(JSC::Heap::isLive):
(JSC::Heap::isMarked):

Modified Paths

• releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/heap/HeapInlines.h

Diff

Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog (205717 => 205718)

--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog	2016-09-09 08:55:20 UTC (rev 205717)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog	2016-09-09 09:15:48 UTC (rev 205718)
@@ -1,3 +1,20 @@
+2016-09-05  Filip Pizlo  <fpi...@apple.com>
+
+        Heap::isMarked() should use concurrent lazy flipping
+        https://bugs.webkit.org/show_bug.cgi?id=161613
+
+        Reviewed by Michael Catanzaro.
+        
+        I found out about this race condition via
+        https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
+        
+        The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
+        phase. So, they need to lazy-flip in a non-racy way.
+
+        * heap/HeapInlines.h:
+        (JSC::Heap::isLive):
+        (JSC::Heap::isMarked):
+
 2016-08-31  Filip Pizlo  <fpi...@apple.com>
 
         Butterflies should be allocated in Auxiliary MarkedSpace instead of CopiedSpace and we should rewrite as much of the GC as needed to make this not a regression

Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/heap/HeapInlines.h (205717 => 205718)

--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/heap/HeapInlines.h	2016-09-09 08:55:20 UTC (rev 205717)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/heap/HeapInlines.h	2016-09-09 09:15:48 UTC (rev 205718)
@@ -80,7 +80,7 @@
     if (cell->isLargeAllocation())
         return cell->largeAllocation().isLive();
     MarkedBlock& block = cell->markedBlock();
-    block.flipIfNecessary(block.vm()->heap.objectSpace().version());
+    block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version());
     return block.handle().isLiveCell(cell);
 }
 
@@ -90,7 +90,7 @@
     if (cell->isLargeAllocation())
         return cell->largeAllocation().isMarked();
     MarkedBlock& block = cell->markedBlock();
-    block.flipIfNecessary(block.vm()->heap.objectSpace().version());
+    block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version());
     return block.isMarked(cell);
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes