Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: e69c47917811c2d01befd9e16205c756c86e06a6
https://github.com/WebKit/WebKit/commit/e69c47917811c2d01befd9e16205c756c86e06a6
Author: Keith Miller <[email protected]>
Date: 2026-06-08 (Mon, 08 Jun 2026)
Changed paths:
A JSTests/stress/stringProtoFuncAt-GCOwnedDataScope-atomstring-swap.js
A JSTests/stress/stringProtoFuncEndsWith-GCOwnedDataScope-atomstring-swap.js
A
JSTests/stress/stringProtoFuncLocaleCompare-GCOwnedDataScope-atomstring-swap.js
A
JSTests/stress/stringProtoFuncStartsWith-GCOwnedDataScope-atomstring-swap.js
M Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
M Source/JavaScriptCore/Sources.txt
M Source/JavaScriptCore/heap/ConservativeRoots.cpp
A Source/JavaScriptCore/heap/GCOwnedDataScope.cpp
M Source/JavaScriptCore/heap/GCOwnedDataScope.h
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/heap/Heap.h
M Source/JavaScriptCore/heap/IncrementalSweeper.cpp
M Source/JavaScriptCore/jit/JITWorklist.cpp
M Source/JavaScriptCore/jit/JITWorklist.h
M Source/JavaScriptCore/runtime/JSString.h
M Source/WTF/wtf/Forward.h
M Source/WTF/wtf/SegmentedVector.h
M Source/WebCore/SaferCPPExpectations/ForwardDeclCheckerExpectations
Log Message:
-----------
Heap needs to protect swaped JSString Impls for GCOwnedDataScope
https://bugs.webkit.org/show_bug.cgi?id=311420
rdar://172467032
Reviewed by Yusuke Suzuki and Dan Hecht.
When JSString::swapToAtomString replaces a StringImpl with its atomized
equivalent, the old StringImpl was kept alive only until the next GC
via
Heap::m_possiblyAccessedStringsFromConcurrentThreads. However if a
GCOwnedDataScope is on the stack it's possible for the buffer to get
freed before the ~GCOwnedDataScope runs, leaving the buffer as a
dangling pointer.
Fix this by:
1. Renaming m_possiblyAccessedStringsFromConcurrentThreads to
m_possiblyAccessedStringsFromConcurrentThreadsOrGCOwnedDataScope and
storing (JSString*, String) pairs so we can track ownership.
2. During conservative root scanning, discover all JSStrings that are
still referenced on the stack and record them in
m_discoveredAccessedStringsFromGCOwnedDataScope.
3. At GC finalize, pruning entries whose JSString was not discovered on
the stack rather than clearing the list entirely.
4. Between GCs, clearing the retained list in IncrementalSweeper when
no JS is executing and no JIT compilations are in progress.
Previously the list was only cleared during GC finalize, so it could
grow unboundedly between collections. Without this Speedometer
appeared to be regressed, with this it seems like a .2% progression.
5. Switching from Vector to SegmentedVector with a new doubling growth
policy to avoid copying entries when resizing the Vector. Since this
list gets very big 200,000+ entries, avoiding copies is valuable.
Tests: JSTests/stress/stringProtoFuncAt-GCOwnedDataScope-atomstring-swap.js
JSTests/stress/stringProtoFuncEndsWith-GCOwnedDataScope-atomstring-swap.js
JSTests/stress/stringProtoFuncLocaleCompare-GCOwnedDataScope-atomstring-swap.js
JSTests/stress/stringProtoFuncStartsWith-GCOwnedDataScope-atomstring-swap.js
Originally-landed-as: 305413.614@rapid/safari-7624.2.5.110-branch
(ffdd4a695d15). rdar://176061081
Canonical link: https://commits.webkit.org/314730@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
