Title: [213905] branches/safari-603-branch/Source
- Revision
- 213905
- Author
- matthew_han...@apple.com
- Date
- 2017-03-14 10:13:22 -0700 (Tue, 14 Mar 2017)
Log Message
Merge r212692. rdar://problem/30635854
Modified Paths
Diff
Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (213904 => 213905)
--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-03-14 17:02:15 UTC (rev 213904)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog 2017-03-14 17:13:22 UTC (rev 213905)
@@ -1,3 +1,58 @@
+2017-02-21 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r212692. rdar://problem/30635854
+
+ 2017-02-20 Mark Lam <mark....@apple.com>
+
+ [Re-landing] CachedCall should let GC know to keep its arguments alive.
+ https://bugs.webkit.org/show_bug.cgi?id=168567
+ <rdar://problem/30475767>
+
+ Reviewed by Saam Barati.
+
+ We fix this by having CachedCall use a MarkedArgumentBuffer to store its
+ arguments instead of a Vector.
+
+ Also declared CachedCall, MarkedArgumentBuffer, and ProtoCallFrame as
+ WTF_FORBID_HEAP_ALLOCATION because they rely on being stack allocated for
+ correctness.
+
+ Update: the original patch has a bug in MarkedArgumentBuffer::expandCapacity()
+ where it was copying and calling addMarkSet() on values in m_buffer beyond m_size
+ (up to m_capacity). As a result, depending on the pre-existing values in
+ m_inlineBuffer, this may result in a computed Heap pointer that is wrong, and
+ subsequently, manifest as a crash. This is likely to be the cause of the PLT
+ regression.
+
+ I don't have a new test for this fix because the issue relies on sufficiently bad
+ values randomly showing up in m_inlineBuffer when we do an ensureCapacity() which
+ calls expandCapacity().
+
+ * interpreter/CachedCall.h:
+ (JSC::CachedCall::CachedCall):
+ (JSC::CachedCall::call):
+ (JSC::CachedCall::clearArguments):
+ (JSC::CachedCall::appendArgument):
+ (JSC::CachedCall::setArgument): Deleted.
+ * interpreter/CallFrame.h:
+ (JSC::ExecState::emptyList):
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::prepareForRepeatCall):
+ * interpreter/Interpreter.h:
+ * interpreter/ProtoCallFrame.h:
+ * runtime/ArgList.cpp:
+ (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
+ (JSC::MarkedArgumentBuffer::expandCapacity):
+ (JSC::MarkedArgumentBuffer::slowAppend):
+ * runtime/ArgList.h:
+ (JSC::MarkedArgumentBuffer::append):
+ (JSC::MarkedArgumentBuffer::ensureCapacity):
+ * runtime/StringPrototype.cpp:
+ (JSC::replaceUsingRegExpSearch):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
2017-02-23 Filip Pizlo <fpi...@apple.com>
Disable concurrent GC A:B testing.
Modified: branches/safari-603-branch/Source/WTF/ChangeLog (213904 => 213905)
--- branches/safari-603-branch/Source/WTF/ChangeLog 2017-03-14 17:02:15 UTC (rev 213904)
+++ branches/safari-603-branch/Source/WTF/ChangeLog 2017-03-14 17:13:22 UTC (rev 213905)
@@ -1,3 +1,26 @@
+2017-02-21 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r212692. rdar://problem/30635854
+
+ 2017-02-20 Mark Lam <mark....@apple.com>
+
+ [Re-landing] CachedCall should let GC know to keep its arguments alive.
+ https://bugs.webkit.org/show_bug.cgi?id=168567
+ <rdar://problem/30475767>
+
+ Reviewed by Saam Barati.
+
+ Added a WTF_FORBID_HEAP_ALLOCATION that will cause a compilation failure if
+ a class declared with it is malloced.
+
+ While this doesn't prevent that class declared WTF_FORBID_HEAP_ALLOCATION from
+ being embedded in another class that is heap allocated, it does at minimum
+ document the intent and gives the users of this class a chance to do the
+ right thing.
+
+ * WTF.xcodeproj/project.pbxproj:
+ * wtf/ForbidHeapAllocation.h: Added.
+
2017-02-17 JF Bastien <jfbast...@apple.com>
A/B test concurrent GC
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
