Diff
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-09-19 12:33:18 UTC (rev 236168)
@@ -1,3 +1,26 @@
+2018-09-04 Keith Miller <[email protected]>
+
+ RELEASE_ASSERT at ../../Source/_javascript_Core/heap/MarkedSpace.h:83
+ https://bugs.webkit.org/show_bug.cgi?id=188917
+
+ Reviewed by Mark Lam.
+
+ Our allocators should be able to handle allocating a zero-sized object.
+ Zero-sized objects will be allocated into the smallest size class.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
+ (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
+ * heap/MarkedSpace.h:
+ (JSC::MarkedSpace::sizeClassToIndex):
+ (JSC::MarkedSpace::indexToSizeClass):
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::emitAllocateVariableSized):
+ * runtime/JSArrayBufferView.cpp:
+ (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
+
2018-09-05 Mark Lam <[email protected]>
Fix DeferredSourceDump to capture the caller bytecodeIndex instead of CodeOrigin.
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-09-19 12:33:18 UTC (rev 236168)
@@ -9533,7 +9533,6 @@
slowCases.append(m_jit.branch32(
MacroAssembler::Above, sizeGPR, TrustedImm32(JSArrayBufferView::fastSizeLimit)));
- slowCases.append(m_jit.branchTest32(MacroAssembler::Zero, sizeGPR));
m_jit.move(sizeGPR, scratchGPR);
m_jit.lshift32(TrustedImm32(logElementSize(typedArrayType)), scratchGPR);
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-09-19 12:33:18 UTC (rev 236168)
@@ -5991,7 +5991,6 @@
LValue size = lowInt32(m_node->child1());
LBasicBlock smallEnoughCase = m_out.newBlock();
- LBasicBlock nonZeroCase = m_out.newBlock();
LBasicBlock slowCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
@@ -6001,12 +6000,8 @@
m_out.above(size, m_out.constInt32(JSArrayBufferView::fastSizeLimit)),
rarely(slowCase), usually(smallEnoughCase));
- LBasicBlock lastNext = m_out.appendTo(smallEnoughCase, nonZeroCase);
+ LBasicBlock lastNext = m_out.appendTo(smallEnoughCase, slowCase);
- m_out.branch(m_out.notZero32(size), usually(nonZeroCase), rarely(slowCase));
-
- m_out.appendTo(nonZeroCase, slowCase);
-
LValue byteSize =
m_out.shl(m_out.zeroExtPtr(size), m_out.constInt32(logElementSize(typedArrayType)));
if (elementSize(typedArrayType) < 8) {
@@ -13150,7 +13145,7 @@
if (subspace->hasIntPtr() && size->hasIntPtr()) {
CompleteSubspace* actualSubspace = bitwise_cast<CompleteSubspace*>(subspace->asIntPtr());
size_t actualSize = size->asIntPtr();
-
+
Allocator actualAllocator = actualSubspace->allocatorForNonVirtual(actualSize, AllocatorForMode::AllocatorIfExists);
if (!actualAllocator) {
LBasicBlock continuation = m_out.newBlock();
@@ -13159,7 +13154,7 @@
m_out.appendTo(continuation, lastNext);
return m_out.intPtrZero;
}
-
+
return m_out.constIntPtr(actualAllocator.localAllocator());
}
@@ -13182,7 +13177,7 @@
return m_out.loadPtr(
m_out.baseIndex(
m_heaps.CompleteSubspace_allocatorForSizeStep,
- subspace, m_out.sub(sizeClassIndex, m_out.intPtrOne)));
+ subspace, sizeClassIndex));
}
LValue allocatorForSize(CompleteSubspace& subspace, LValue size, LBasicBlock slowPath)
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/heap/MarkedSpace.cpp (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/heap/MarkedSpace.cpp 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/heap/MarkedSpace.cpp 2018-09-19 12:33:18 UTC (rev 236168)
@@ -171,6 +171,7 @@
table[i] = entry;
nextIndex = index + 1;
}
+ ASSERT(MarkedSpace::sizeClassToIndex(MarkedSpace::largeCutoff - 1) < MarkedSpace::numSizeClasses);
for (size_t i = nextIndex; i < MarkedSpace::numSizeClasses; ++i)
table[i] = defaultCons(MarkedSpace::indexToSizeClass(i));
}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/heap/MarkedSpace.h (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/heap/MarkedSpace.h 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/heap/MarkedSpace.h 2018-09-19 12:33:18 UTC (rev 236168)
@@ -64,7 +64,8 @@
// into one block.
static constexpr size_t largeCutoff = (blockPayload / 2) & ~(sizeStep - 1);
- static constexpr size_t numSizeClasses = largeCutoff / sizeStep;
+ // We have an extra size class for size zero.
+ static constexpr size_t numSizeClasses = largeCutoff / sizeStep + 1;
static constexpr HeapVersion nullVersion = 0; // The version of freshly allocated blocks.
static constexpr HeapVersion initialVersion = 2; // The version that the heap starts out with. Set to make sure that nextVersion(nullVersion) != initialVersion.
@@ -79,13 +80,14 @@
static size_t sizeClassToIndex(size_t size)
{
- RELEASE_ASSERT(size);
- return (size + sizeStep - 1) / sizeStep - 1;
+ return (size + sizeStep - 1) / sizeStep;
}
static size_t indexToSizeClass(size_t index)
{
- return (index + 1) * sizeStep;
+ size_t result = index * sizeStep;
+ ASSERT(sizeClassToIndex(result) == index);
+ return result;
}
MarkedSpace(Heap*);
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/jit/AssemblyHelpers.cpp (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2018-09-19 12:33:18 UTC (rev 236168)
@@ -641,7 +641,7 @@
add32(TrustedImm32(MarkedSpace::sizeStep - 1), allocationSize, scratchGPR1);
urshift32(TrustedImm32(stepShift), scratchGPR1);
slowPath.append(branch32(Above, scratchGPR1, TrustedImm32(MarkedSpace::largeCutoff >> stepShift)));
- move(TrustedImmPtr(subspace.allocatorForSizeStep() - 1), scratchGPR2);
+ move(TrustedImmPtr(subspace.allocatorForSizeStep()), scratchGPR2);
loadPtr(BaseIndex(scratchGPR2, scratchGPR1, timesPtr()), scratchGPR1);
emitAllocate(resultGPR, JITAllocator::variable(), scratchGPR1, scratchGPR2, slowPath);
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSArrayBufferView.cpp (236167 => 236168)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2018-09-19 12:33:11 UTC (rev 236167)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/runtime/JSArrayBufferView.cpp 2018-09-19 12:33:18 UTC (rev 236168)
@@ -69,12 +69,9 @@
// Attempt GC allocation.
void* temp;
size_t size = sizeOf(length, elementSize);
- if (size) {
- temp = vm.primitiveGigacageAuxiliarySpace.allocateNonVirtual(vm, size, nullptr, AllocationFailureMode::ReturnNull);
- if (!temp)
- return;
- } else
- temp = nullptr;
+ temp = vm.primitiveGigacageAuxiliarySpace.allocateNonVirtual(vm, size, nullptr, AllocationFailureMode::ReturnNull);
+ if (!temp)
+ return;
m_structure = structure;
m_vector = temp;
