IsoCellSet::sweepToFreeList() not safe when Full GC in process
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 29 Jun 2018 01:37:38 +0000 (01:37 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 29 Jun 2018 01:37:38 +0000 (01:37 +0000)
https://bugs.webkit.org/show_bug.cgi?id=187157

Reviewed by Mark Lam.

* heap/IsoCellSet.cpp:
(JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
is in MarkedBlock::Handle::specializedSweep where it takes into account whether
or not we are in the process of marking during a full GC.
* heap/MarkedBlock.h:
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233346 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/IsoCellSet.cpp
Source/JavaScriptCore/heap/MarkedBlock.h
Source/JavaScriptCore/heap/MarkedBlockInlines.h

index 1bf14b5..cb0aab2 100644 (file)
@@ -1,3 +1,18 @@
+2018-06-28  Michael Saboff  <msaboff@apple.com>
+  
+        IsoCellSet::sweepToFreeList() not safe when Full GC in process
+        https://bugs.webkit.org/show_bug.cgi?id=187157
+
+        Reviewed by Mark Lam.
+
+        * heap/IsoCellSet.cpp:
+        (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
+        is in MarkedBlock::Handle::specializedSweep where it takes into account whether
+        or not we are in the process of marking during a full GC.
+        * heap/MarkedBlock.h:
+        * heap/MarkedBlockInlines.h:
+        (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
+
 2018-06-27  Saam Barati  <sbarati@apple.com>
 
         Add some more register state information when we crash in repatchPutById
index dde4338..620dd15 100644 (file)
@@ -127,11 +127,12 @@ void IsoCellSet::sweepToFreeList(MarkedBlock::Handle* block)
     }
     
     if (block->block().hasAnyNewlyAllocated()) {
+        // The newlyAllocated() bits are a superset of the marks() bits.
         m_bits[block->index()]->concurrentFilter(block->block().newlyAllocated());
         return;
     }
 
-    if (block->isEmpty() || block->areMarksStale()) {
+    if (block->isEmpty() || block->areMarksStaleForSweep()) {
         {
             // Holding the bitvector lock happens to be enough because that's what we also hold in
             // other places where we manipulate this bitvector.
index 444a88f..e240f0a 100644 (file)
@@ -187,6 +187,7 @@ public:
         template <typename Functor> inline IterationStatus forEachMarkedCell(const Functor&);
             
         JS_EXPORT_PRIVATE bool areMarksStale();
+        bool areMarksStaleForSweep();
         
         void assertMarksNotStale();
             
index 85c4c19..86b6f81 100644 (file)
@@ -203,6 +203,11 @@ inline bool MarkedBlock::Handle::isLiveCell(const void* p)
     return isLiveCell(space()->markingVersion(), space()->newlyAllocatedVersion(), space()->isMarking(), p);
 }
 
+inline bool MarkedBlock::Handle::areMarksStaleForSweep()
+{
+    return marksMode() == MarksStale;
+}
+
 // The following has to be true for specialization to kick in:
 //
 // sweepMode == SweepToFreeList