BASSERTs added in r196421 are causing debug test failures
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 13 Feb 2016 01:10:22 +0000 (01:10 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 13 Feb 2016 01:10:22 +0000 (01:10 +0000)
commitffd7ac414e48b544130ae388dd60294aa12c5379
treeed8f721b6b63a99e2b06d4833a4bfc120a9db8e8
parent19ab4e4f5b8b8005c9fe96e7d79dbadc50c8602a
BASSERTs added in r196421 are causing debug test failures
https://bugs.webkit.org/show_bug.cgi?id=154113

Reviewed by Geoffrey Garen.

In VMHeap::deallocateLargeObject(), we drop the lock to deallocate the physical pages.
If the scavenger thread is running at the same time a synchronous call to scavenge()
comes in, we could call VMHeap::deallocateLargeObject() for an adjacent object while the
lock in the other thread is dropped.  We fix this by checking for adjacent objects we
can merge with and loop if we have one.

* bmalloc/FreeList.h:
(bmalloc::FreeList::push): Added BASSERT to catch adding unmerged free objects
* bmalloc/Heap.cpp:
(bmalloc::Heap::allocateLarge): Changed to use nextCanMerge().
* bmalloc/LargeObject.h:
(bmalloc::LargeObject::prevCanMerge): Repurposed prevIsAllocated.
(bmalloc::LargeObject::nextCanMerge): Repurposed nextIsAllocated.
(bmalloc::LargeObject::prevIsAllocated): Deleted.
(bmalloc::LargeObject::nextIsAllocated): Deleted.
* bmalloc/VMHeap.h:
(bmalloc::VMHeap::allocateLargeObject): Moved adding the extra object back to the free list
to after we set the object we'll return as being allocated.
(bmalloc::VMHeap::deallocateLargeObject):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@196536 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/bmalloc/ChangeLog
Source/bmalloc/bmalloc/FreeList.h
Source/bmalloc/bmalloc/Heap.cpp
Source/bmalloc/bmalloc/LargeObject.h
Source/bmalloc/bmalloc/VMHeap.h