[webkit-changes] [160822] trunk/Source/JavaScriptCore

[mhahnenberg]

Title: [160822] trunk/Source/_javascript_Core

Revision

160822

Author

mhahnenb...@apple.com

Date

2013-12-18 20:30:02 -0800 (Wed, 18 Dec 2013)

Log Message

DelayedReleaseScope is in the wrong place
https://bugs.webkit.org/show_bug.cgi?id=125876

Reviewed by Geoffrey Garen.

The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper.
This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty
free list) and doing the actual allocation (popping the free list).

* heap/MarkedAllocator.cpp:
(JSC::MarkedAllocator::tryAllocateHelper):
(JSC::MarkedAllocator::allocateSlowCase):
(JSC::MarkedAllocator::addBlock):
* runtime/JSCellInlines.h:
(JSC::allocateCell):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/heap/MarkedAllocator.cpp
• trunk/Source/_javascript_Core/runtime/JSCellInlines.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (160821 => 160822)

--- trunk/Source/_javascript_Core/ChangeLog	2013-12-19 03:48:08 UTC (rev 160821)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-12-19 04:30:02 UTC (rev 160822)
@@ -1,3 +1,21 @@
+2013-12-18  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        DelayedReleaseScope is in the wrong place
+        https://bugs.webkit.org/show_bug.cgi?id=125876
+
+        Reviewed by Geoffrey Garen.
+
+        The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
+        This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
+        free list) and doing the actual allocation (popping the free list).
+
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::tryAllocateHelper):
+        (JSC::MarkedAllocator::allocateSlowCase):
+        (JSC::MarkedAllocator::addBlock):
+        * runtime/JSCellInlines.h:
+        (JSC::allocateCell):
+
 2013-12-18  Gustavo Noronha Silva  <g...@gnome.org>
 
         [GTK][CMake] make libjavascriptcoregtk a public shared library again

Modified: trunk/Source/_javascript_Core/heap/MarkedAllocator.cpp (160821 => 160822)

--- trunk/Source/_javascript_Core/heap/MarkedAllocator.cpp	2013-12-19 03:48:08 UTC (rev 160821)
+++ trunk/Source/_javascript_Core/heap/MarkedAllocator.cpp	2013-12-19 04:30:02 UTC (rev 160822)
@@ -30,7 +30,11 @@
 
 inline void* MarkedAllocator::tryAllocateHelper(size_t bytes)
 {
-    if (!m_freeList.head) {
+    // We need a while loop to check the free list because the DelayedReleaseScope 
+    // could cause arbitrary code to execute and exhaust the free list that we 
+    // thought had elements in it.
+    while (!m_freeList.head) {
+        DelayedReleaseScope delayedReleaseScope(*m_markedSpace);
         if (m_currentBlock) {
             ASSERT(m_currentBlock == m_blocksToSweep);
             m_currentBlock->didConsumeFreeList();
@@ -59,7 +63,8 @@
             return 0;
         }
     }
-    
+
+    ASSERT(m_freeList.head);
     MarkedBlock::FreeCell* head = m_freeList.head;
     m_freeList.head = head->next;
     ASSERT(head);
@@ -78,7 +83,6 @@
 void* MarkedAllocator::allocateSlowCase(size_t bytes)
 {
     ASSERT(m_heap->vm()->currentThreadIsHoldingAPILock());
-    DelayedReleaseScope delayedReleaseScope(*m_markedSpace);
 #if COLLECT_ON_EVERY_ALLOCATION
     if (!m_heap->isDeferred())
         m_heap->collectAllGarbage();
@@ -126,6 +130,8 @@
 
 void MarkedAllocator::addBlock(MarkedBlock* block)
 {
+    // Satisfy the ASSERT in MarkedBlock::sweep.
+    DelayedReleaseScope delayedReleaseScope(*m_markedSpace);
     ASSERT(!m_currentBlock);
     ASSERT(!m_freeList.head);
     

Modified: trunk/Source/_javascript_Core/runtime/JSCellInlines.h (160821 => 160822)

--- trunk/Source/_javascript_Core/runtime/JSCellInlines.h	2013-12-19 03:48:08 UTC (rev 160821)
+++ trunk/Source/_javascript_Core/runtime/JSCellInlines.h	2013-12-19 04:30:02 UTC (rev 160822)
@@ -88,10 +88,6 @@
 {
     ASSERT(!DisallowGC::isGCDisallowedOnCurrentThread());
     ASSERT(size >= sizeof(T));
-#if ENABLE(GC_VALIDATION)
-    ASSERT(!heap.vm()->isInitializingObject());
-    heap.vm()->setInitializingObjectClass(T::info());
-#endif
     JSCell* result = 0;
     if (T::needsDestruction && T::hasImmortalStructure)
         result = static_cast<JSCell*>(heap.allocateWithImmortalStructureDestructor(size));
@@ -99,6 +95,10 @@
         result = static_cast<JSCell*>(heap.allocateWithNormalDestructor(size));
     else 
         result = static_cast<JSCell*>(heap.allocateWithoutDestructor(size));
+#if ENABLE(GC_VALIDATION)
+    ASSERT(!heap.vm()->isInitializingObject());
+    heap.vm()->setInitializingObjectClass(T::info());
+#endif
     result->clearStructure();
     return result;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes