reportZappedCellAndCrash should handle PreciseAllocation in IsoSubspace
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 15 Mar 2020 10:51:04 +0000 (10:51 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 15 Mar 2020 10:51:04 +0000 (10:51 +0000)
https://bugs.webkit.org/show_bug.cgi?id=209042

Reviewed by Mark Lam.

This patch adds support of PreciseAllocation cells to reportZappedCellAndCrash, since now it is frequently used
as a lower-tier cells in IsoSubspace.

* heap/IsoSubspace.h:
* heap/IsoSubspaceInlines.h:
(JSC::IsoSubspace::forEachLowerTierFreeListedPreciseAllocation):
* runtime/JSCell.cpp:
(JSC::reportZappedCellAndCrash):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258479 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/IsoSubspace.h
Source/JavaScriptCore/heap/IsoSubspaceInlines.h
Source/JavaScriptCore/runtime/JSCell.cpp

index 024ab0a..c11a293 100644 (file)
@@ -1,5 +1,21 @@
 2020-03-15  Yusuke Suzuki  <ysuzuki@apple.com>
 
+        reportZappedCellAndCrash should handle PreciseAllocation in IsoSubspace
+        https://bugs.webkit.org/show_bug.cgi?id=209042
+
+        Reviewed by Mark Lam.
+
+        This patch adds support of PreciseAllocation cells to reportZappedCellAndCrash, since now it is frequently used
+        as a lower-tier cells in IsoSubspace.
+
+        * heap/IsoSubspace.h:
+        * heap/IsoSubspaceInlines.h:
+        (JSC::IsoSubspace::forEachLowerTierFreeListedPreciseAllocation):
+        * runtime/JSCell.cpp:
+        (JSC::reportZappedCellAndCrash):
+
+2020-03-15  Yusuke Suzuki  <ysuzuki@apple.com>
+
         Should not use variable-length-array (VLA)
         https://bugs.webkit.org/show_bug.cgi?id=209043
 
index 0dbd3b0..a37b4bb 100644 (file)
@@ -56,6 +56,8 @@ public:
 
     void sweep();
 
+    template<typename Func> void forEachLowerTierFreeListedPreciseAllocation(const Func&);
+
 private:
     friend class IsoCellSet;
     
index 4660e77..8ed0cc7 100644 (file)
@@ -54,5 +54,11 @@ inline void IsoSubspace::sweep()
     });
 }
 
+template<typename Func>
+void IsoSubspace::forEachLowerTierFreeListedPreciseAllocation(const Func& func)
+{
+    m_lowerTierFreeList.forEach(func);
+}
+
 } // namespace JSC
 
index bdbef2e..553d16f 100644 (file)
@@ -25,6 +25,7 @@
 
 #include "ArrayBufferView.h"
 #include "BlockDirectoryInlines.h"
+#include "IsoSubspaceInlines.h"
 #include "JSCInlines.h"
 #include "JSCast.h"
 #include "JSFunction.h"
@@ -32,6 +33,7 @@
 #include "JSObject.h"
 #include "MarkedBlockInlines.h"
 #include "NumberObject.h"
+#include "SubspaceInlines.h"
 #include <wtf/LockAlgorithmInlines.h>
 #include <wtf/MathExtras.h>
 
@@ -330,7 +332,7 @@ NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCras
     unsigned subspaceHash = 0;
     size_t cellSize = 0;
 
-    heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* blockHandle) {
+    heap.objectSpace().forEachBlock([&](MarkedBlock::Handle* blockHandle) {
         if (blockHandle->contains(bitwise_cast<JSCell*>(cell))) {
             foundBlockHandle = blockHandle;
             return IterationStatus::Done;
@@ -354,6 +356,43 @@ NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCras
         ptrdiff_t cellOffset = cellAddress - reinterpret_cast<uint64_t>(foundBlockHandle->start());
         bool cellIsProperlyAligned = !(cellOffset % cellSize);
         variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5;
+    } else {
+        bool isFreeListed = false;
+        PreciseAllocation* foundPreciseAllocation = nullptr;
+        heap.objectSpace().forEachSubspace([&](Subspace& subspace) {
+            subspace.forEachPreciseAllocation([&](PreciseAllocation* allocation) {
+                if (allocation->contains(cell))
+                    foundPreciseAllocation = allocation;
+            });
+            if (foundPreciseAllocation)
+                return IterationStatus::Done;
+
+            if (subspace.isIsoSubspace()) {
+                static_cast<IsoSubspace&>(subspace).forEachLowerTierFreeListedPreciseAllocation([&](PreciseAllocation* allocation) {
+                    if (allocation->contains(cell)) {
+                        foundPreciseAllocation = allocation;
+                        isFreeListed = true;
+                    }
+                });
+            }
+            if (foundPreciseAllocation)
+                return IterationStatus::Done;
+            return IterationStatus::Continue;
+        });
+        if (foundPreciseAllocation) {
+            subspaceHash = StringHasher::computeHash(foundPreciseAllocation->subspace()->name());
+            cellSize = foundPreciseAllocation->cellSize();
+
+            variousState |= static_cast<uint64_t>(isFreeListed) << 0;
+            variousState |= static_cast<uint64_t>(!isFreeListed) << 1;
+            variousState |= static_cast<uint64_t>(foundPreciseAllocation->subspace()->attributes().destruction == NeedsDestruction) << 3;
+            if (!isFreeListed) {
+                variousState |= static_cast<uint64_t>(foundPreciseAllocation->isEmpty()) << 2;
+                variousState |= static_cast<uint64_t>(foundPreciseAllocation->isNewlyAllocated()) << 4;
+            }
+            bool cellIsProperlyAligned = foundPreciseAllocation->cell() == cell;
+            variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5;
+        }
     }
 
     CRASH_WITH_INFO(cellAddress, headerWord, zapReasonAndMore, subspaceHash, cellSize, foundBlock, variousState);