Title: [254491] trunk
- Revision
- 254491
- Author
- [email protected]
- Date
- 2020-01-13 21:24:58 -0800 (Mon, 13 Jan 2020)
Log Message
scanSideState scans too much side state
https://bugs.webkit.org/show_bug.cgi?id=206166
Reviewed by Tadeu Zagallo.
JSTests:
* stress/checkpoint-side-state-gc-tmps-overflow.js: Added.
(v8):
Source/_javascript_Core:
The old code would would scan tmps + sizeof(tmps) but sizeof(tmps)
is not the length of the array. instead we should scan tmps +
maxNumCheckpointTmps.
* interpreter/CheckpointOSRExitSideState.h:
* runtime/VM.cpp:
(JSC::VM::scanSideState const):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (254490 => 254491)
--- trunk/JSTests/ChangeLog 2020-01-14 05:09:19 UTC (rev 254490)
+++ trunk/JSTests/ChangeLog 2020-01-14 05:24:58 UTC (rev 254491)
@@ -1,3 +1,13 @@
+2020-01-13 Keith Miller <[email protected]>
+
+ scanSideState scans too much side state
+ https://bugs.webkit.org/show_bug.cgi?id=206166
+
+ Reviewed by Tadeu Zagallo.
+
+ * stress/checkpoint-side-state-gc-tmps-overflow.js: Added.
+ (v8):
+
2020-01-13 Saam Barati <[email protected]>
Throw away baseline code if there is an optimized replacement
Added: trunk/JSTests/stress/checkpoint-side-state-gc-tmps-overflow.js (0 => 254491)
--- trunk/JSTests/stress/checkpoint-side-state-gc-tmps-overflow.js (rev 0)
+++ trunk/JSTests/stress/checkpoint-side-state-gc-tmps-overflow.js 2020-01-14 05:24:58 UTC (rev 254491)
@@ -0,0 +1,30 @@
+//@ requireOptions("--useConcurrentGC=false")
+
+var v2 = 2190736854 + 1;
+var v3 = v2 + Object;
+var v4 = v3;
+var v7 = 0;
+do {
+ function v8(v9,v10,v11,v12,v13) {
+ try {
+ var v14 = v13();
+ } catch(v16) {
+ }
+ var v18 = gc();
+ if (v18) {
+ } else {
+ }
+ var v20 = v9;
+ do {
+ var v21 = v20 + 1;
+ v20 = v21;
+ } while (v20 < 4);
+ }
+ var v24 = new Int32Array();
+ var v25 = v8(...v4);
+ for (var v29 = -1024; v29 < 100; v29++) {
+ }
+ var v30 = v7 + 1;
+ v7 = v30;
+} while (v7 < 10000);
+gc();
Modified: trunk/Source/_javascript_Core/ChangeLog (254490 => 254491)
--- trunk/Source/_javascript_Core/ChangeLog 2020-01-14 05:09:19 UTC (rev 254490)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-01-14 05:24:58 UTC (rev 254491)
@@ -1,3 +1,18 @@
+2020-01-13 Keith Miller <[email protected]>
+
+ scanSideState scans too much side state
+ https://bugs.webkit.org/show_bug.cgi?id=206166
+
+ Reviewed by Tadeu Zagallo.
+
+ The old code would would scan tmps + sizeof(tmps) but sizeof(tmps)
+ is not the length of the array. instead we should scan tmps +
+ maxNumCheckpointTmps.
+
+ * interpreter/CheckpointOSRExitSideState.h:
+ * runtime/VM.cpp:
+ (JSC::VM::scanSideState const):
+
2020-01-13 Saam Barati <[email protected]>
Throw away baseline code if there is an optimized replacement
Modified: trunk/Source/_javascript_Core/interpreter/CheckpointOSRExitSideState.h (254490 => 254491)
--- trunk/Source/_javascript_Core/interpreter/CheckpointOSRExitSideState.h 2020-01-14 05:09:19 UTC (rev 254490)
+++ trunk/Source/_javascript_Core/interpreter/CheckpointOSRExitSideState.h 2020-01-14 05:24:58 UTC (rev 254491)
@@ -35,7 +35,7 @@
public:
BytecodeIndex bytecodeIndex;
- JSValue tmps[maxNumCheckpointTmps];
+ JSValue tmps[maxNumCheckpointTmps] { };
};
}
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (254490 => 254491)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2020-01-14 05:09:19 UTC (rev 254490)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2020-01-14 05:24:58 UTC (rev 254491)
@@ -1066,8 +1066,11 @@
void VM::scanSideState(ConservativeRoots& roots) const
{
- for (const auto& iter : m_checkpointSideState)
- roots.add(iter.value->tmps, iter.value->tmps + sizeof(iter.value->tmps));
+ ASSERT(heap.mutatorState() != MutatorState::Running);
+ for (const auto& iter : m_checkpointSideState) {
+ static_assert(sizeof(iter.value->tmps) / sizeof(JSValue) == maxNumCheckpointTmps);
+ roots.add(iter.value->tmps, iter.value->tmps + maxNumCheckpointTmps);
+ }
}
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes