Title: [210609] trunk/Source
- Revision
- 210609
- Author
- [email protected]
- Date
- 2017-01-11 16:55:32 -0800 (Wed, 11 Jan 2017)
Log Message
Crash when WebCore's GC heap grows way too large.
<https://webkit.org/b/166875>
<rdar://problem/27896585>
Reviewed by Mark Lam.
Source/_javascript_Core:
Add a simple API to JSC::Heap that allows setting a hard limit on the amount
of live bytes. If this is exceeded, we crash with a recognizable signature.
By default there is no limit.
* heap/Heap.cpp:
(JSC::Heap::didExceedMaxLiveSize):
(JSC::Heap::updateAllocationLimits):
* heap/Heap.h:
(JSC::Heap::setMaxLiveSize):
Source/WebCore:
Cap the common WebCore VM at 4 GB of live _javascript_ heap objects.
* bindings/js/CommonVM.cpp:
(WebCore::commonVMSlow):
Source/WTF:
Publish the WTF::GB constant.
* wtf/StdLibExtras.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (210608 => 210609)
--- trunk/Source/_javascript_Core/ChangeLog 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-01-12 00:55:32 UTC (rev 210609)
@@ -1,3 +1,21 @@
+2017-01-11 Andreas Kling <[email protected]>
+
+ Crash when WebCore's GC heap grows way too large.
+ <https://webkit.org/b/166875>
+ <rdar://problem/27896585>
+
+ Reviewed by Mark Lam.
+
+ Add a simple API to JSC::Heap that allows setting a hard limit on the amount
+ of live bytes. If this is exceeded, we crash with a recognizable signature.
+ By default there is no limit.
+
+ * heap/Heap.cpp:
+ (JSC::Heap::didExceedMaxLiveSize):
+ (JSC::Heap::updateAllocationLimits):
+ * heap/Heap.h:
+ (JSC::Heap::setMaxLiveSize):
+
2017-01-11 Yusuke Suzuki <[email protected]>
Decouple module loading initiator from ScriptElement
Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (210608 => 210609)
--- trunk/Source/_javascript_Core/heap/Heap.cpp 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp 2017-01-12 00:55:32 UTC (rev 210609)
@@ -1676,6 +1676,11 @@
m_sweeper->startSweeping();
}
+NEVER_INLINE void Heap::didExceedMaxLiveSize()
+{
+ CRASH();
+}
+
void Heap::updateAllocationLimits()
{
static const bool verbose = false;
@@ -1707,6 +1712,9 @@
if (verbose)
dataLog("extraMemorySize() = ", extraMemorySize(), ", currentHeapSize = ", currentHeapSize, "\n");
+
+ if (m_maxLiveSize && currentHeapSize > m_maxLiveSize)
+ didExceedMaxLiveSize();
if (Options::gcMaxHeapSize() && currentHeapSize > Options::gcMaxHeapSize())
HeapStatistics::exitWithFailure();
Modified: trunk/Source/_javascript_Core/heap/Heap.h (210608 => 210609)
--- trunk/Source/_javascript_Core/heap/Heap.h 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/_javascript_Core/heap/Heap.h 2017-01-12 00:55:32 UTC (rev 210609)
@@ -131,6 +131,9 @@
void lastChanceToFinalize();
void releaseDelayedReleasedObjects();
+ // Set a hard limit where JSC will crash if live heap size exceeds it.
+ void setMaxLiveSize(size_t size) { m_maxLiveSize = size; }
+
VM* vm() const { return m_vm; }
MarkedSpace& objectSpace() { return m_objectSpace; }
MachineThreads& machineThreads() { return m_machineThreads; }
@@ -619,6 +622,9 @@
size_t m_blockBytesAllocated { 0 };
size_t m_externalMemorySize { 0 };
#endif
+
+ NO_RETURN_DUE_TO_CRASH void didExceedMaxLiveSize();
+ size_t m_maxLiveSize { 0 };
std::unique_ptr<MutatorScheduler> m_scheduler;
Modified: trunk/Source/WTF/ChangeLog (210608 => 210609)
--- trunk/Source/WTF/ChangeLog 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/WTF/ChangeLog 2017-01-12 00:55:32 UTC (rev 210609)
@@ -1,3 +1,15 @@
+2017-01-11 Andreas Kling <[email protected]>
+
+ Crash when WebCore's GC heap grows way too large.
+ <https://webkit.org/b/166875>
+ <rdar://problem/27896585>
+
+ Reviewed by Mark Lam.
+
+ Publish the WTF::GB constant.
+
+ * wtf/StdLibExtras.h:
+
2017-01-11 Anders Carlsson <[email protected]>
navigator.plugins.refresh and WKContextRefreshPlugIns doesn't pick up changes to already-present plug-ins
Modified: trunk/Source/WTF/wtf/StdLibExtras.h (210608 => 210609)
--- trunk/Source/WTF/wtf/StdLibExtras.h 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/WTF/wtf/StdLibExtras.h 2017-01-12 00:55:32 UTC (rev 210609)
@@ -477,6 +477,7 @@
using WTF::KB;
using WTF::MB;
+using WTF::GB;
using WTF::approximateBinarySearch;
using WTF::binarySearch;
using WTF::bitwise_cast;
Modified: trunk/Source/WebCore/ChangeLog (210608 => 210609)
--- trunk/Source/WebCore/ChangeLog 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/WebCore/ChangeLog 2017-01-12 00:55:32 UTC (rev 210609)
@@ -1,3 +1,16 @@
+2017-01-11 Andreas Kling <[email protected]>
+
+ Crash when WebCore's GC heap grows way too large.
+ <https://webkit.org/b/166875>
+ <rdar://problem/27896585>
+
+ Reviewed by Mark Lam.
+
+ Cap the common WebCore VM at 4 GB of live _javascript_ heap objects.
+
+ * bindings/js/CommonVM.cpp:
+ (WebCore::commonVMSlow):
+
2017-01-11 Nan Wang <[email protected]>
AX: role=treeitem accessible name not spoken to VoiceOver macOS when using string contained inside element
Modified: trunk/Source/WebCore/bindings/js/CommonVM.cpp (210608 => 210609)
--- trunk/Source/WebCore/bindings/js/CommonVM.cpp 2017-01-12 00:44:42 UTC (rev 210608)
+++ trunk/Source/WebCore/bindings/js/CommonVM.cpp 2017-01-12 00:55:32 UTC (rev 210609)
@@ -47,6 +47,10 @@
ScriptController::initializeThreading();
g_commonVMOrNull = &VM::createLeaked(LargeHeap).leakRef();
+#if CPU(X86_64) || CPU(ARM64)
+ static const size_t maxGCHeapSize = 4 * GB;
+ g_commonVMOrNull->heap.setMaxLiveSize(maxGCHeapSize);
+#endif
g_commonVMOrNull->heap.acquireAccess(); // At any time, we may do things that affect the GC.
#if !PLATFORM(IOS)
g_commonVMOrNull->setExclusiveThread(std::this_thread::get_id());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
