JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 25 Jun 2018 23:56:35 +0000 (23:56 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 25 Jun 2018 23:56:35 +0000 (23:56 +0000)
commitdac682f0abcca3afb8f28c9c83e616d5f4a5d5fe
treef77ff93c7ae529bcacc36e528611660b2ee1aa07
parent8af3d153d9ab01470bcabb53a1fcb754e3d09b02
JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
https://bugs.webkit.org/show_bug.cgi?id=186878
<rdar://problem/40568659>

Reviewed by Mark Lam.

Source/JavaScriptCore:

This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
our stress GC bots. Before this patch, JSImmutableButterfly was allocated
with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
bots is that our conservative marking won't do cell marking for things that
are Auxiliary. This means that if the stack is the only thing pointing to a
JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
not be visited. This patch fixes this bug. This patch also extends our conservative
marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.

* bytecompiler/NodesCodegen.cpp:
(JSC::ArrayNode::emitBytecode):
* heap/HeapUtil.h:
(JSC::HeapUtil::findGCObjectPointersForMarking):
* runtime/JSImmutableButterfly.h:
(JSC::JSImmutableButterfly::subspaceFor):

LayoutTests:

Make these test not susceptible to conservative scan leaks by ensuring at least
one object gets collected when we allocate many of them. Before, these were just
testing that a fixed number of objects were collected.

* editing/selection/navigation-clears-editor-state-expected.txt:
* editing/selection/navigation-clears-editor-state.html:
* fast/dom/reference-cycle-leaks.html:
* fast/misc/resources/test-observegc.js:
* fast/misc/test-observegc-expected.txt:
* platform/mac-wk2/plugins/refcount-leaks-expected.txt:
* plugins/refcount-leaks-expected.txt:
* plugins/refcount-leaks.html:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233184 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
LayoutTests/ChangeLog
LayoutTests/editing/selection/navigation-clears-editor-state-expected.txt
LayoutTests/editing/selection/navigation-clears-editor-state.html
LayoutTests/fast/dom/reference-cycle-leaks.html
LayoutTests/fast/misc/resources/test-observegc.js
LayoutTests/fast/misc/test-observegc-expected.txt
LayoutTests/platform/mac-wk2/plugins/refcount-leaks-expected.txt
LayoutTests/plugins/refcount-leaks-expected.txt
LayoutTests/plugins/refcount-leaks.html
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
Source/JavaScriptCore/heap/HeapUtil.h
Source/JavaScriptCore/runtime/JSImmutableButterfly.h