Diff
Modified: trunk/JSTests/ChangeLog (252384 => 252385)
--- trunk/JSTests/ChangeLog 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/JSTests/ChangeLog 2019-11-13 01:40:28 UTC (rev 252385)
@@ -1,3 +1,14 @@
+2019-11-12 Yusuke Suzuki <[email protected]>
+
+ [JSC] JSC GC relies on CodeBlock is not PreciseAllocation
+ https://bugs.webkit.org/show_bug.cgi?id=204124
+
+ Reviewed by Saam Barati.
+
+ * stress/ensure-code-block-is-not-precise-allocation.js: Added.
+ (foo):
+ (get for):
+
2019-11-12 Alexey Shvayka <[email protected]>
RegExpBuiltinExec should create "groups" property unconditionally
Added: trunk/JSTests/stress/ensure-code-block-is-not-precise-allocation.js (0 => 252385)
--- trunk/JSTests/stress/ensure-code-block-is-not-precise-allocation.js (rev 0)
+++ trunk/JSTests/stress/ensure-code-block-is-not-precise-allocation.js 2019-11-13 01:40:28 UTC (rev 252385)
@@ -0,0 +1,11 @@
+//@ slow!
+// Does not crash.
+function foo() {
+ +new Proxy({}, {get: foo});
+}
+
+for (let i=0; i< 500; i++) {
+ new Promise(foo);
+ const a0 = [];
+ const a1 = [0];
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (252384 => 252385)
--- trunk/Source/_javascript_Core/ChangeLog 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-11-13 01:40:28 UTC (rev 252385)
@@ -1,3 +1,78 @@
+2019-11-12 Yusuke Suzuki <[email protected]>
+
+ [JSC] JSC GC relies on CodeBlock is not PreciseAllocation
+ https://bugs.webkit.org/show_bug.cgi?id=204124
+
+ Reviewed by Saam Barati.
+
+ This is a follow-up patch after r252298. This patch fixes several GC issues.
+
+ 1. We found that CodeBlock heavily relies on the fact that this is never getting PreciseAllocation.
+ For example, in our GC, we scan conservative roots to collect currently-executing CodeBlocks.
+ But if this is done in an Eden cycle, this can only find PreciseAllocation CodeBlocks allocated
+ in this current Eden cycle, since we only use Eden PreciseAllocation vector to find these cells.
+ This means some CodeBlocks that are PreciseAllocation and allocated in the past Eden cycle can
+ be missed in this currently-executing set. But we do not want to sort all the PreciseAllocation
+ vector every time Eden cycle happens. So, for now, we make # of lower-tier cells of CodeBlocks 0
+ so that CodeBlocks are always allocated as non PreciseAllocation.
+
+ 2. We had an pre-existing PreciseAllocation bug: when Weak<> is pointing PreciseAllocation, we keep
+ PreciseAllocation in m_preciseAllocations vector while the cell inside it is destroyed. This is OK.
+ But HeapUtil::findGCObjectPointersForMarking can populate this PreciseAllocation when performing
+ conservative root scanning. This means that HeapUtil::findGCObjectPointersForMarking can populate
+ destroyed cells. We insert hasValidCell check to avoid this issue.
+
+ 3. Subspace::sweep only sweeps non PreciseAllocation blocks despite of this name. This is a problem
+ since we are explicitly calling Subspace::sweep to sweep ScriptExecutables, CodeBlocks, and JIT
+ stubs in a defined order. We rename Subspace::sweep to Subspace::sweepBlocks, and introduce
+ IsoSubspace::sweep which also sweeps PreciseAllocations for lower-tier cells correctly.
+ We are calling PreciseAllocation::sweep, but we still leave PreciseAllocation in m_preciseAllocations.
+ This is OK since PreciseAllocation::sweep can be called multiple times. Destroying / Reusing PreciseAllocations
+ are done by MarkedSpace::sweepPreciseAllocations.
+
+ 4. We clear IsoCellSet's bit as soon as PreciseAllocation's cell is destroyed. This is aligned to the
+ behavior of MarkedBlocks.
+
+ * bytecode/CodeBlock.h:
+ * heap/CodeBlockSetInlines.h:
+ (JSC::CodeBlockSet::mark):
+ * heap/Heap.cpp:
+ (JSC::Heap::sweepSynchronously):
+ (JSC::Heap::sweepInFinalize):
+ * heap/HeapUtil.h:
+ (JSC::HeapUtil::findGCObjectPointersForMarking):
+ * heap/IsoCellSet.h:
+ * heap/IsoCellSetInlines.h:
+ (JSC::IsoCellSet::clearLowerTierCell):
+ (JSC::IsoCellSet::sweepLowerTierCell): Deleted.
+ * heap/IsoSubspace.cpp:
+ (JSC::IsoSubspace::IsoSubspace):
+ (JSC::IsoSubspace::tryAllocateFromLowerTier):
+ (JSC::IsoSubspace::sweepLowerTierCell):
+ * heap/IsoSubspace.h:
+ * heap/IsoSubspaceInlines.h:
+ (JSC::IsoSubspace::clearIsoCellSetBit):
+ (JSC::IsoSubspace::sweep):
+ * heap/IsoSubspacePerVM.cpp:
+ (JSC::IsoSubspacePerVM::AutoremovingIsoSubspace::AutoremovingIsoSubspace):
+ * heap/MarkedBlock.h:
+ * heap/MarkedSpace.cpp:
+ (JSC::MarkedSpace::sweepBlocks):
+ (JSC::MarkedSpace::sweep): Deleted.
+ * heap/MarkedSpace.h:
+ * heap/PreciseAllocation.cpp:
+ (JSC::PreciseAllocation::PreciseAllocation):
+ (JSC::PreciseAllocation::sweep):
+ * heap/Subspace.cpp:
+ (JSC::Subspace::sweepBlocks):
+ (JSC::Subspace::sweep): Deleted.
+ * heap/Subspace.h:
+ * runtime/JSCell.h:
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+ * wasm/js/JSWebAssemblyMemory.h:
+
2019-11-12 Alexey Shvayka <[email protected]>
RegExpBuiltinExec should create "groups" property unconditionally
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (252384 => 252385)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -116,6 +116,8 @@
template<typename, SubspaceAccess>
static IsoSubspace* subspaceFor(VM&) { return nullptr; }
+ // GC strongly assumes CodeBlock is not a PreciseAllocation for now.
+ static constexpr uint8_t numberOfLowerTierCells = 0;
DECLARE_INFO;
Modified: trunk/Source/_javascript_Core/heap/CodeBlockSetInlines.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/CodeBlockSetInlines.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/CodeBlockSetInlines.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -38,6 +38,10 @@
if (!codeBlock)
return;
+ // Conservative root scanning in Eden collection can only find PreciseAllocation that is allocated in this Eden cycle.
+ // Since CodeBlockSet::m_currentlyExecuting is strongly assuming that this catches all the currently executing CodeBlock,
+ // we now have a restriction that all CodeBlock needs to be a non-precise-allocation.
+ ASSERT(!codeBlock->isPreciseAllocation());
m_currentlyExecuting.add(codeBlock);
}
Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/Heap.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -1054,7 +1054,7 @@
dataLog("Full sweep: ", capacity() / 1024, "kb ");
before = MonotonicTime::now();
}
- m_objectSpace.sweep();
+ m_objectSpace.sweepBlocks();
m_objectSpace.shrink();
if (Options::logGC()) {
MonotonicTime after = MonotonicTime::now();
@@ -2154,7 +2154,11 @@
void Heap::sweepInFinalize()
{
m_objectSpace.sweepPreciseAllocations();
- vm().eagerlySweptDestructibleObjectSpace.sweep();
+#if ENABLE(WEBASSEMBLY)
+ // We hold onto a lot of memory, so it makes a lot of sense to be swept eagerly.
+ if (vm().m_webAssemblyMemorySpace)
+ vm().m_webAssemblyMemorySpace->sweep();
+#endif
}
void Heap::suspendCompilerThreads()
Modified: trunk/Source/_javascript_Core/heap/HeapUtil.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/HeapUtil.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/HeapUtil.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -67,7 +67,7 @@
[] (PreciseAllocation** ptr) -> PreciseAllocation* { return *ptr; });
if (result) {
auto attemptLarge = [&] (PreciseAllocation* allocation) {
- if (allocation->contains(pointer))
+ if (allocation->contains(pointer) && allocation->hasValidCell())
func(allocation->cell(), allocation->attributes().cellKind);
};
Modified: trunk/Source/_javascript_Core/heap/IsoCellSet.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/IsoCellSet.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/IsoCellSet.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -72,9 +72,9 @@
void didResizeBits(size_t newSize);
void didRemoveBlock(size_t blockIndex);
void sweepToFreeList(MarkedBlock::Handle*);
- void sweepLowerTierCell(unsigned);
+ void clearLowerTierCell(unsigned);
- Bitmap<MarkedBlock::numberOfLowerTierCells> m_lowerTierBits;
+ Bitmap<MarkedBlock::maxNumberOfLowerTierCells> m_lowerTierBits;
IsoSubspace& m_subspace;
Modified: trunk/Source/_javascript_Core/heap/IsoCellSetInlines.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/IsoCellSetInlines.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/IsoCellSetInlines.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -167,7 +167,7 @@
});
}
-inline void IsoCellSet::sweepLowerTierCell(unsigned index)
+inline void IsoCellSet::clearLowerTierCell(unsigned index)
{
m_lowerTierBits.concurrentTestAndClear(index);
}
Modified: trunk/Source/_javascript_Core/heap/IsoSubspace.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/IsoSubspace.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/IsoSubspace.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -35,13 +35,15 @@
namespace JSC {
-IsoSubspace::IsoSubspace(CString name, Heap& heap, HeapCellType* heapCellType, size_t size)
+IsoSubspace::IsoSubspace(CString name, Heap& heap, HeapCellType* heapCellType, size_t size, uint8_t numberOfLowerTierCells)
: Subspace(name, heap)
, m_size(size)
, m_directory(&heap, WTF::roundUpToMultipleOf<MarkedBlock::atomSize>(size))
, m_localAllocator(&m_directory)
, m_isoAlignedMemoryAllocator(makeUnique<IsoAlignedMemoryAllocator>())
+ , m_remainingLowerTierCellCount(numberOfLowerTierCells)
{
+ ASSERT(numberOfLowerTierCells <= MarkedBlock::maxNumberOfLowerTierCells);
m_isIsoSubspace = true;
initialize(heapCellType, m_isoAlignedMemoryAllocator.get());
@@ -108,9 +110,9 @@
allocation->remove();
return revive(allocation);
}
- if (m_lowerTierCellCount != MarkedBlock::numberOfLowerTierCells) {
+ if (m_remainingLowerTierCellCount) {
size_t size = WTF::roundUpToMultipleOf<MarkedSpace::sizeStep>(m_size);
- PreciseAllocation* allocation = PreciseAllocation::createForLowerTier(*m_space.heap(), size, this, m_lowerTierCellCount++);
+ PreciseAllocation* allocation = PreciseAllocation::createForLowerTier(*m_space.heap(), size, this, --m_remainingLowerTierCellCount);
return revive(allocation);
}
return nullptr;
@@ -118,13 +120,8 @@
void IsoSubspace::sweepLowerTierCell(PreciseAllocation* preciseAllocation)
{
- unsigned lowerTierIndex = preciseAllocation->lowerTierIndex();
preciseAllocation = preciseAllocation->reuseForLowerTier();
m_lowerTierFreeList.append(preciseAllocation);
- m_cellSets.forEach(
- [&] (IsoCellSet* set) {
- set->sweepLowerTierCell(lowerTierIndex);
- });
}
void IsoSubspace::destroyLowerTierFreeList()
Modified: trunk/Source/_javascript_Core/heap/IsoSubspace.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/IsoSubspace.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/IsoSubspace.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -37,7 +37,7 @@
class IsoSubspace : public Subspace {
public:
- JS_EXPORT_PRIVATE IsoSubspace(CString name, Heap&, HeapCellType*, size_t size);
+ JS_EXPORT_PRIVATE IsoSubspace(CString name, Heap&, HeapCellType*, size_t size, uint8_t numberOfLowerTierCells);
JS_EXPORT_PRIVATE ~IsoSubspace();
size_t size() const { return m_size; }
@@ -49,10 +49,13 @@
void* allocateNonVirtual(VM&, size_t, GCDeferralContext*, AllocationFailureMode);
void sweepLowerTierCell(PreciseAllocation*);
+ void clearIsoCellSetBit(PreciseAllocation*);
void* tryAllocateFromLowerTier();
void destroyLowerTierFreeList();
+ void sweep();
+
private:
friend class IsoCellSet;
@@ -66,7 +69,7 @@
std::unique_ptr<IsoAlignedMemoryAllocator> m_isoAlignedMemoryAllocator;
SentinelLinkedList<PreciseAllocation, PackedRawSentinelNode<PreciseAllocation>> m_lowerTierFreeList;
SentinelLinkedList<IsoCellSet, PackedRawSentinelNode<IsoCellSet>> m_cellSets;
- uint8_t m_lowerTierCellCount { 0 };
+ uint8_t m_remainingLowerTierCellCount { 0 };
};
ALWAYS_INLINE Allocator IsoSubspace::allocatorForNonVirtual(size_t size, AllocatorForMode)
@@ -75,7 +78,7 @@
return Allocator(&m_localAllocator);
}
-#define ISO_SUBSPACE_INIT(heap, heapCellType, type) ("Isolated " #type " Space", (heap), (heapCellType), sizeof(type))
+#define ISO_SUBSPACE_INIT(heap, heapCellType, type) ("Isolated " #type " Space", (heap), (heapCellType), sizeof(type), type::numberOfLowerTierCells)
template<typename T>
struct isAllocatedFromIsoSubspace {
Modified: trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/IsoSubspaceInlines.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -35,5 +35,24 @@
return result;
}
+inline void IsoSubspace::clearIsoCellSetBit(PreciseAllocation* preciseAllocation)
+{
+ unsigned lowerTierIndex = preciseAllocation->lowerTierIndex();
+ m_cellSets.forEach(
+ [&](IsoCellSet* set) {
+ set->clearLowerTierCell(lowerTierIndex);
+ });
+}
+
+inline void IsoSubspace::sweep()
+{
+ Subspace::sweepBlocks();
+ // We sweep precise-allocations eagerly, but we do not free it immediately.
+ // This part should be done by MarkedSpace::sweepPreciseAllocations.
+ m_preciseAllocations.forEach([&](PreciseAllocation* allocation) {
+ allocation->sweep();
+ });
+}
+
} // namespace JSC
Modified: trunk/Source/_javascript_Core/heap/IsoSubspacePerVM.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/IsoSubspacePerVM.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/IsoSubspacePerVM.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -33,7 +33,7 @@
class IsoSubspacePerVM::AutoremovingIsoSubspace : public IsoSubspace {
public:
AutoremovingIsoSubspace(IsoSubspacePerVM& perVM, CString name, Heap& heap, HeapCellType* heapCellType, size_t size)
- : IsoSubspace(name, heap, heapCellType, size)
+ : IsoSubspace(name, heap, heapCellType, size, /* numberOfLowerTierCells */ 0)
, m_perVM(perVM)
{
}
Modified: trunk/Source/_javascript_Core/heap/MarkedBlock.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/MarkedBlock.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/MarkedBlock.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -78,8 +78,8 @@
static constexpr size_t atomsPerBlock = blockSize / atomSize;
- static constexpr size_t numberOfLowerTierCells = 8;
- static_assert(numberOfLowerTierCells <= 256);
+ static constexpr size_t maxNumberOfLowerTierCells = 8;
+ static_assert(maxNumberOfLowerTierCells <= 256);
static_assert(!(MarkedBlock::atomSize & (MarkedBlock::atomSize - 1)), "MarkedBlock::atomSize must be a power of two.");
static_assert(!(MarkedBlock::blockSize & (MarkedBlock::blockSize - 1)), "MarkedBlock::blockSize must be a power of two.");
Modified: trunk/Source/_javascript_Core/heap/MarkedSpace.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/MarkedSpace.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/MarkedSpace.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -232,7 +232,7 @@
// We do not call lastChanceToFinalize for lower-tier swept cells since we need nothing to do.
}
-void MarkedSpace::sweep()
+void MarkedSpace::sweepBlocks()
{
m_heap->sweeper().stopSweeping();
forEachDirectory(
Modified: trunk/Source/_javascript_Core/heap/MarkedSpace.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/MarkedSpace.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/MarkedSpace.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -140,7 +140,7 @@
void endMarking();
void snapshotUnswept();
void clearNewlyAllocated();
- void sweep();
+ void sweepBlocks();
void sweepPreciseAllocations();
void assertNoUnswept();
size_t objectCount();
Modified: trunk/Source/_javascript_Core/heap/PreciseAllocation.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/PreciseAllocation.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/PreciseAllocation.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -28,6 +28,7 @@
#include "AlignedMemoryAllocator.h"
#include "Heap.h"
+#include "IsoCellSetInlines.h"
#include "JSCInlines.h"
#include "Operations.h"
#include "SubspaceInlines.h"
@@ -178,6 +179,7 @@
, m_weakSet(heap.vm())
{
m_isMarked.store(0);
+ ASSERT(cell()->isPreciseAllocation());
}
PreciseAllocation::~PreciseAllocation()
@@ -227,6 +229,10 @@
if (m_hasValidCell && !isLive()) {
if (m_attributes.destruction == NeedsDestruction)
m_subspace->destroy(vm(), static_cast<JSCell*>(cell()));
+ // We should clear IsoCellSet's bit before actually destroying PreciseAllocation
+ // since PreciseAllocation's destruction can be delayed until its WeakSet is cleared.
+ if (isLowerTier())
+ static_cast<IsoSubspace*>(m_subspace)->clearIsoCellSetBit(this);
m_hasValidCell = false;
}
}
Modified: trunk/Source/_javascript_Core/heap/Subspace.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/Subspace.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/Subspace.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -124,7 +124,7 @@
});
}
-void Subspace::sweep()
+void Subspace::sweepBlocks()
{
forEachDirectory(
[&] (BlockDirectory& directory) {
Modified: trunk/Source/_javascript_Core/heap/Subspace.h (252384 => 252385)
--- trunk/Source/_javascript_Core/heap/Subspace.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/heap/Subspace.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -92,7 +92,7 @@
template<typename Func>
void forEachLiveCell(const Func&);
- void sweep();
+ void sweepBlocks();
Subspace* nextSubspaceInAlignedMemoryAllocator() const { return m_nextSubspaceInAlignedMemoryAllocator; }
void setNextSubspaceInAlignedMemoryAllocator(Subspace* subspace) { m_nextSubspaceInAlignedMemoryAllocator = subspace; }
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (252384 => 252385)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -91,6 +91,7 @@
// https://bugs.webkit.org/show_bug.cgi?id=166988
template<typename CellType, SubspaceAccess>
static CompleteSubspace* subspaceFor(VM&);
+ static constexpr uint8_t numberOfLowerTierCells = 8;
static JSCell* seenMultipleCalleeObjects() { return bitwise_cast<JSCell*>(static_cast<uintptr_t>(1)); }
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (252384 => 252385)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2019-11-13 01:40:28 UTC (rev 252385)
@@ -104,6 +104,7 @@
#include "JSWebAssembly.h"
#include "JSWebAssemblyCodeBlock.h"
#include "JSWebAssemblyCodeBlockHeapCellType.h"
+#include "JSWebAssemblyMemory.h"
#include "JSWithScope.h"
#include "LLIntData.h"
#include "Lexer.h"
@@ -275,7 +276,6 @@
, destructibleCellSpace("Destructible JSCell", heap, destructibleCellHeapCellType.get(), fastMallocAllocator.get()) // Hash:0xbfff3d73
, stringSpace("JSString", heap, stringHeapCellType.get(), fastMallocAllocator.get()) // Hash:0x90cf758f
, destructibleObjectSpace("JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get()) // Hash:0x4f5ed7a9
- , eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get()) // Hash:0x6ebf28e2
, executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), ExecutableToCodeBlockEdge) // Hash:0x7b730b20
, functionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSFunction) // Hash:0x800fca72
, internalFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), InternalFunction) // Hash:0xf845c464
@@ -1302,6 +1302,7 @@
#if ENABLE(WEBASSEMBLY)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyCodeBlockSpace, webAssemblyCodeBlockHeapCellType.get(), JSWebAssemblyCodeBlock) // Hash:0x9ad995cd
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyFunctionSpace, webAssemblyFunctionHeapCellType.get(), WebAssemblyFunction) // Hash:0x8b7c32db
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyMemorySpace, destructibleObjectHeapCellType.get(), JSWebAssemblyMemory)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyWrapperFunctionSpace, cellHeapCellType.get(), WebAssemblyWrapperFunction) // Hash:0xd4a5ff01
#endif
Modified: trunk/Source/_javascript_Core/runtime/VM.h (252384 => 252385)
--- trunk/Source/_javascript_Core/runtime/VM.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -376,7 +376,6 @@
CompleteSubspace destructibleCellSpace;
CompleteSubspace stringSpace;
CompleteSubspace destructibleObjectSpace;
- CompleteSubspace eagerlySweptDestructibleObjectSpace;
IsoSubspace executableToCodeBlockEdgeSpace;
IsoSubspace functionSpace;
@@ -414,6 +413,7 @@
#if ENABLE(WEBASSEMBLY)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyCodeBlockSpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyFunctionSpace)
+ DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyMemorySpace)
DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER(webAssemblyWrapperFunctionSpace)
#endif
Modified: trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h (252384 => 252385)
--- trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h 2019-11-13 01:38:25 UTC (rev 252384)
+++ trunk/Source/_javascript_Core/wasm/js/JSWebAssemblyMemory.h 2019-11-13 01:40:28 UTC (rev 252385)
@@ -42,11 +42,10 @@
public:
typedef JSDestructibleObject Base;
- template<typename CellType, SubspaceAccess>
- static CompleteSubspace* subspaceFor(VM& vm)
+ template<typename CellType, SubspaceAccess mode>
+ static IsoSubspace* subspaceFor(VM& vm)
{
- // We hold onto a lot of memory, so it makes a lot of sense to be swept eagerly.
- return &vm.eagerlySweptDestructibleObjectSpace;
+ return vm.webAssemblyMemorySpace<mode>();
}
static JSWebAssemblyMemory* create(JSGlobalObject*, VM&, Structure*);
