Title: [164448] trunk/Source/_javascript_Core
- Revision
- 164448
- Author
- [email protected]
- Date
- 2014-02-20 14:55:11 -0800 (Thu, 20 Feb 2014)
Log Message
CopiedBlock::pin can call into fastFree while forbidden
https://bugs.webkit.org/show_bug.cgi?id=128654
Reviewed by Oliver Hunt.
A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving
CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.
EdenCollections always do copying, therefore they always clear all CopyWorkLists.
The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections
as well at the beginning.
* heap/CopiedBlock.h:
(JSC::CopiedBlock::didSurviveGC):
* heap/CopiedSpace.cpp:
(JSC::CopiedSpace::doneCopying):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (164447 => 164448)
--- trunk/Source/_javascript_Core/ChangeLog 2014-02-20 22:53:21 UTC (rev 164447)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-02-20 22:55:11 UTC (rev 164448)
@@ -1,5 +1,25 @@
2014-02-20 Mark Hahnenberg <[email protected]>
+ CopiedBlock::pin can call into fastFree while forbidden
+ https://bugs.webkit.org/show_bug.cgi?id=128654
+
+ Reviewed by Oliver Hunt.
+
+ A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving
+ CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.
+
+ EdenCollections always do copying, therefore they always clear all CopyWorkLists.
+
+ The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections
+ as well at the beginning.
+
+ * heap/CopiedBlock.h:
+ (JSC::CopiedBlock::didSurviveGC):
+ * heap/CopiedSpace.cpp:
+ (JSC::CopiedSpace::doneCopying):
+
+2014-02-20 Mark Hahnenberg <[email protected]>
+
Add a JSC option to disable EdenCollections
https://bugs.webkit.org/show_bug.cgi?id=128849
Modified: trunk/Source/_javascript_Core/heap/CopiedBlock.h (164447 => 164448)
--- trunk/Source/_javascript_Core/heap/CopiedBlock.h 2014-02-20 22:53:21 UTC (rev 164447)
+++ trunk/Source/_javascript_Core/heap/CopiedBlock.h 2014-02-20 22:55:11 UTC (rev 164448)
@@ -147,6 +147,7 @@
inline void CopiedBlock::didSurviveGC()
{
checkConsistency();
+ ASSERT(isOld());
m_liveBytes = 0;
#ifndef NDEBUG
m_liveObjects = 0;
Modified: trunk/Source/_javascript_Core/heap/CopiedSpace.cpp (164447 => 164448)
--- trunk/Source/_javascript_Core/heap/CopiedSpace.cpp 2014-02-20 22:53:21 UTC (rev 164447)
+++ trunk/Source/_javascript_Core/heap/CopiedSpace.cpp 2014-02-20 22:55:11 UTC (rev 164448)
@@ -253,6 +253,7 @@
// We don't add the block to the blockSet because it was never removed.
ASSERT(m_blockSet.contains(block));
blockFilter->add(reinterpret_cast<Bits>(block));
+ block->didSurviveGC();
toSpace->push(block);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
