CopiedBlock::pin can call into fastFree while forbidden
authormhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Feb 2014 22:55:11 +0000 (22:55 +0000)
committermhahnenberg@apple.com <mhahnenberg@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 20 Feb 2014 22:55:11 +0000 (22:55 +0000)
https://bugs.webkit.org/show_bug.cgi?id=128654

Reviewed by Oliver Hunt.

A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving
CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.

EdenCollections always do copying, therefore they always clear all CopyWorkLists.

The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections
as well at the beginning.

* heap/CopiedBlock.h:
(JSC::CopiedBlock::didSurviveGC):
* heap/CopiedSpace.cpp:
(JSC::CopiedSpace::doneCopying):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@164448 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/CopiedBlock.h
Source/JavaScriptCore/heap/CopiedSpace.cpp

index 42513e0..0ad98d4 100644 (file)
@@ -1,5 +1,25 @@
 2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
 
+        CopiedBlock::pin can call into fastFree while forbidden
+        https://bugs.webkit.org/show_bug.cgi?id=128654
+
+        Reviewed by Oliver Hunt.
+
+        A FullCollection that skips copying doesn't clear the CopyWorkList of the all the surviving 
+        CopiedBlocks because we currently only call didSurviveGC() at the beginning of FullCollections.
+
+        EdenCollections always do copying, therefore they always clear all CopyWorkLists.
+
+        The fix is to call didSurviveGC() for all surviving CopiedBlocks at the end of FullCollections 
+        as well at the beginning.
+
+        * heap/CopiedBlock.h:
+        (JSC::CopiedBlock::didSurviveGC):
+        * heap/CopiedSpace.cpp:
+        (JSC::CopiedSpace::doneCopying):
+
+2014-02-20  Mark Hahnenberg  <mhahnenberg@apple.com>
+
         Add a JSC option to disable EdenCollections
         https://bugs.webkit.org/show_bug.cgi?id=128849
 
index 6d59aa6..4685e23 100644 (file)
@@ -147,6 +147,7 @@ inline CopiedBlock::CopiedBlock(Region* region)
 inline void CopiedBlock::didSurviveGC()
 {
     checkConsistency();
+    ASSERT(isOld());
     m_liveBytes = 0;
 #ifndef NDEBUG
     m_liveObjects = 0;
index e2df481..cb1a656 100644 (file)
@@ -253,6 +253,7 @@ void CopiedSpace::doneCopying()
         // We don't add the block to the blockSet because it was never removed.
         ASSERT(m_blockSet.contains(block));
         blockFilter->add(reinterpret_cast<Bits>(block));
+        block->didSurviveGC();
         toSpace->push(block);
     }