Changeset 249484 in webkit

Timestamp:

Sep 4, 2019 11:01:37 AM (5 years ago)

Author:

mark.lam@apple.com

Message:

Source/JavaScriptCore:
Cherry-pick 248143, 248162. rdar://problem/55000992

Also deleted an unused function. This is needed to resolve a merge conflict for
this patch.

• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::Handle::zap): Deleted.

• heap/MarkedBlock.h:

(JSC::MarkedBlock::Handle::zap): Deleted.

2019-08-02 Mark Lam <​mark.lam@apple.com>

Gardening: build fix.
​https://bugs.webkit.org/show_bug.cgi?id=200149
<rdar://problem/53570112>

Not reviewed.

• assembler/CPU.cpp: (JSC::hwPhysicalCPUMax):

2019-08-01 Mark Lam <​mark.lam@apple.com>

Add crash diagnostics for debugging unexpected zapped cells.
​https://bugs.webkit.org/show_bug.cgi?id=200149
<rdar://problem/53570112>

Reviewed by Yusuke Suzuki.

Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with
some diagnostic info.

To facilitate this, we've made the following changes:

1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all cells are at least 16 bytes long.
2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the cell header info intact (including the cell JSType).
3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash the reason immediately after the first 8 bytes. This is the same location as FreeCell::scrambledNext. However, since a cell is not expected to be zapped and on the free list at the same time, it is also fine to do this.
4. Added a few utility functions to MarkedBlock for checking if a cell points into the block.
5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
6. Added some comments to document the hashes of known subspaces.
7. Added Options::dumpZappedCellCrashData() to make this check conditional. We use this option to disable this check for slower machines so that their PLT5 performance is not impacted.

• assembler/CPU.cpp: (JSC::hwL3CacheSize): (JSC::hwPhysicalCPUMax):
• assembler/CPU.h: (JSC::hwL3CacheSize): (JSC::hwPhysicalCPUMax):
• heap/FreeList.h: (JSC::FreeCell::offsetOfScrambledNext):
• heap/HeapCell.h: (JSC::HeapCell::zap): (JSC::HeapCell::isZapped const):
• heap/MarkedBlock.cpp: (JSC::MarkedBlock::Handle::stopAllocating):
• heap/MarkedBlock.h: (JSC::MarkedBlock::Handle::start const): (JSC::MarkedBlock::Handle::end const): (JSC::MarkedBlock::Handle::contains const):
• heap/MarkedBlockInlines.h: (JSC::MarkedBlock::Handle::specializedSweep):
• heap/MarkedSpace.h: (JSC::MarkedSpace::forEachSubspace):
• heap/SlotVisitor.cpp: (JSC::SlotVisitor::appendToMarkStack): (JSC::SlotVisitor::visitChildren): (JSC::SlotVisitor::reportZappedCellAndCrash):
• heap/SlotVisitor.h:
• jit/AssemblyHelpers.cpp: (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
• runtime/Options.cpp: (JSC::Options::initialize):
• runtime/Options.h:
• runtime/VM.cpp: (JSC::VM::VM):
• tools/JSDollarVM.cpp: (JSC::functionDumpSubspaceHashes): (JSC::JSDollarVM::finishCreation):
• tools/VMInspector.cpp: (JSC::VMInspector::dumpSubspaceHashes):
• tools/VMInspector.h:

Source/WebCore:
Cherry-pick 248143. rdar://problem/55000992

2019-08-01 Mark Lam <​mark.lam@apple.com>

Add crash diagnostics for debugging unexpected zapped cells.
​https://bugs.webkit.org/show_bug.cgi?id=200149
<rdar://problem/53570112>

Reviewed by Yusuke Suzuki.

No new tests because this is a feature for debugging crashes. It has been tested
manually by modifying the code to force a crash at the point of interest.

Added some comments to document the hashes of known subspaces.

• bindings/js/WebCoreJSClientData.cpp: (WebCore::JSVMClientData::JSVMClientData):

Location:

branches/safari-608-branch

Files:

• . (modified) (1 prop)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/assembler/CPU.cpp (modified) (1 diff)
• Source/JavaScriptCore/assembler/CPU.h (modified) (2 diffs)
• Source/JavaScriptCore/heap/FreeList.h (modified) (2 diffs)
• Source/JavaScriptCore/heap/HeapCell.h (modified) (2 diffs)
• Source/JavaScriptCore/heap/MarkedBlock.cpp (modified) (2 diffs)
• Source/JavaScriptCore/heap/MarkedBlock.h (modified) (2 diffs)
• Source/JavaScriptCore/heap/MarkedBlockInlines.h (modified) (2 diffs)
• Source/JavaScriptCore/heap/MarkedSpace.h (modified) (2 diffs)
• Source/JavaScriptCore/heap/SlotVisitor.cpp (modified) (3 diffs)
• Source/JavaScriptCore/heap/SlotVisitor.h (modified) (1 diff)
• Source/JavaScriptCore/jit/AssemblyHelpers.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Options.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Options.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/VM.cpp (modified) (3 diffs)
• Source/JavaScriptCore/tools/JSDollarVM.cpp (modified) (2 diffs)
• Source/JavaScriptCore/tools/VMInspector.cpp (modified) (2 diffs)
• Source/JavaScriptCore/tools/VMInspector.h (modified) (2 diffs)
• Source/WebCore (modified) (1 prop)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/bindings/js/WebCoreJSClientData.cpp (modified) (1 diff)

branches/safari-608-branch/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-09-04  Mark Lam  <mark.lam@apple.com>
+
+        Cherry-pick 248143, 248162. rdar://problem/55000992
+
+        Also deleted an unused function.  This is needed to resolve a merge conflict for
+        this patch.
+
+        * heap/MarkedBlock.cpp:
+        (JSC::MarkedBlock::Handle::zap): Deleted.
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::Handle::zap): Deleted.
+
+    2019-08-02  Mark Lam  <mark.lam@apple.com>
+
+            Gardening: build fix.
+            https://bugs.webkit.org/show_bug.cgi?id=200149
+            <rdar://problem/53570112>
+
+            Not reviewed.
+
+            * assembler/CPU.cpp:
+            (JSC::hwPhysicalCPUMax):
+
+    2019-08-01  Mark Lam  <mark.lam@apple.com>
+
+            Add crash diagnostics for debugging unexpected zapped cells.
+            https://bugs.webkit.org/show_bug.cgi?id=200149
+            <rdar://problem/53570112>
+
+            Reviewed by Yusuke Suzuki.
+
+            Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
+            SlotVisitor::visitChildren().  If a zapped cell is detected, we will crash with
+            some diagnostic info.
+
+            To facilitate this, we've made the following changes:
+            1. Changed FreeCell to preserve the 1st 8 bytes.  This is fine to do because all
+               cells are at least 16 bytes long.
+            2. Changed HeapCell::zap() to only zap the structureID.  Leave the rest of the
+               cell header info intact (including the cell JSType).
+            3. Changed HeapCell::zap() to record the reason for zapping the cell.  We stash
+               the reason immediately after the first 8 bytes.  This is the same location as
+               FreeCell::scrambledNext.  However, since a cell is not expected to be zapped
+               and on the free list at the same time, it is also fine to do this.
+            4. Added a few utility functions to MarkedBlock for checking if a cell points
+               into the block.
+            5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
+            6. Added some comments to document the hashes of known subspaces.
+            7. Added Options::dumpZappedCellCrashData() to make this check conditional.
+               We use this option to disable this check for slower machines so that their
+               PLT5 performance is not impacted.
+
+            * assembler/CPU.cpp:
+            (JSC::hwL3CacheSize):
+            (JSC::hwPhysicalCPUMax):
+            * assembler/CPU.h:
+            (JSC::hwL3CacheSize):
+            (JSC::hwPhysicalCPUMax):
+            * heap/FreeList.h:
+            (JSC::FreeCell::offsetOfScrambledNext):
+            * heap/HeapCell.h:
+            (JSC::HeapCell::zap):
+            (JSC::HeapCell::isZapped const):
+            * heap/MarkedBlock.cpp:
+            (JSC::MarkedBlock::Handle::stopAllocating):
+            * heap/MarkedBlock.h:
+            (JSC::MarkedBlock::Handle::start const):
+            (JSC::MarkedBlock::Handle::end const):
+            (JSC::MarkedBlock::Handle::contains const):
+            * heap/MarkedBlockInlines.h:
+            (JSC::MarkedBlock::Handle::specializedSweep):
+            * heap/MarkedSpace.h:
+            (JSC::MarkedSpace::forEachSubspace):
+            * heap/SlotVisitor.cpp:
+            (JSC::SlotVisitor::appendToMarkStack):
+            (JSC::SlotVisitor::visitChildren):
+            (JSC::SlotVisitor::reportZappedCellAndCrash):
+            * heap/SlotVisitor.h:
+            * jit/AssemblyHelpers.cpp:
+            (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
+            * runtime/Options.cpp:
+            (JSC::Options::initialize):
+            * runtime/Options.h:
+            * runtime/VM.cpp:
+            (JSC::VM::VM):
+            * tools/JSDollarVM.cpp:
+            (JSC::functionDumpSubspaceHashes):
+            (JSC::JSDollarVM::finishCreation):
+            * tools/VMInspector.cpp:
+            (JSC::VMInspector::dumpSubspaceHashes):
+            * tools/VMInspector.h:
+
 2019-09-03  Kocsen Chung  <kocsen_chung@apple.com>
 

branches/safari-608-branch/Source/JavaScriptCore/assembler/CPU.cpp

@@ -67 +67 @@
     return result;
 }
+
+int64_t hwL3CacheSize()
+{
+    int64_t val = 0;
+    size_t valSize = sizeof(val);
+    int rc = sysctlbyname("hw.l3cachesize", &val, &valSize, nullptr, 0);
+    if (rc < 0)
+        return 0;
+    return val;
+}
+
+int32_t hwPhysicalCPUMax()
+{
+    int32_t val = 0;
+    size_t valSize = sizeof(val);
+    int rc = sysctlbyname("hw.physicalcpu_max", &val, &valSize, nullptr, 0);
+    if (rc < 0)
+        return 0;
+    return val;
+}
+
 #endif // #if (CPU(X86) || CPU(X86_64)) && OS(DARWIN)
 

branches/safari-608-branch/Source/JavaScriptCore/assembler/CPU.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -146 +146 @@
 bool enableKernTCSM();
 int kernTCSMAwareNumberOfProcessorCores();
+int64_t hwL3CacheSize();
+int32_t hwPhysicalCPUMax();
 #else
 ALWAYS_INLINE bool isKernTCSMAvailable() { return false; }
 ALWAYS_INLINE bool enableKernTCSM() { return false; }
 ALWAYS_INLINE int kernTCSMAwareNumberOfProcessorCores() { return WTF::numberOfProcessorCores(); }
+ALWAYS_INLINE int64_t hwL3CacheSize() { return 0; }
+ALWAYS_INLINE int32_t hwPhysicalCPUMax() { return kernTCSMAwareNumberOfProcessorCores(); }
 #endif
 

branches/safari-608-branch/Source/JavaScriptCore/heap/FreeList.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -54 +54 @@
     }
     
+    static ptrdiff_t offsetOfScrambledNext() { return OBJECT_OFFSETOF(FreeCell, scrambledNext); }
+
+    uint64_t preservedBitsForCrashAnalysis;
     uintptr_t scrambledNext;
 };

branches/safari-608-branch/Source/JavaScriptCore/heap/HeapCell.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48 +48 @@
     HeapCell() { }
     
-    void zap() { *reinterpret_cast_ptr<uintptr_t**>(this) = 0; }
-    bool isZapped() const { return !*reinterpret_cast_ptr<uintptr_t* const*>(this); }
+    // We're intentionally only zapping the bits for the structureID and leaving
+    // the rest of the cell header bits intact for crash analysis uses.
+    enum ZapReason : int8_t { Unspecified, Destruction, StopAllocating };
+    void zap(ZapReason reason)
+    {
+        uint32_t* cellWords = bitwise_cast<uint32_t*>(this);
+        cellWords[0] = 0;
+        // Leaving cellWords[1] alone for crash analysis if needed.
+        cellWords[2] = reason;
+    }
+    bool isZapped() const { return !*bitwise_cast<const uint32_t*>(this); }
 
     bool isLive();

branches/safari-608-branch/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -162 +162 @@
                 dataLog("Free cell: ", RawPointer(cell), "\n");
             if (m_attributes.destruction == NeedsDestruction)
-                cell->zap();
+                cell->zap(HeapCell::StopAllocating);
             block().clearNewlyAllocated(cell);
         });
@@ -204 +204 @@
     // freelist, in which case the block will still be Marked!
     sweep(&freeList);
-}
-
-void MarkedBlock::Handle::zap(const FreeList& freeList)
-{
-    freeList.forEach(
-        [&] (HeapCell* cell) {
-            if (m_attributes.destruction == NeedsDestruction)
-                cell->zap();
-        });
 }
 

branches/safari-608-branch/Source/JavaScriptCore/heap/MarkedBlock.h

@@ -147 +147 @@
         void unsweepWithNoNewlyAllocated();
         
-        void zap(const FreeList&);
-        
         void shrink();
             
@@ -201 +199 @@
         void didRemoveFromDirectory();
         
+        void* start() const { return &m_block->atoms()[0]; }
+        void* end() const { return &m_block->atoms()[m_endAtom]; }
+        bool contains(void* p) const { return start() <= p && p < end(); }
+
         void dumpState(PrintStream&);
         

branches/safari-608-branch/Source/JavaScriptCore/heap/MarkedBlockInlines.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -259 +259 @@
         if (!jsCell->isZapped()) {
             destroyFunc(vm, jsCell);
-            jsCell->zap();
+            jsCell->zap(HeapCell::Destruction);
         }
     };

branches/safari-608-branch/Source/JavaScriptCore/heap/MarkedSpace.h

@@ -125 +125 @@
     template<typename Functor> void forEachDeadCell(HeapIterationScope&, const Functor&);
     template<typename Functor> void forEachBlock(const Functor&);
+    template<typename Functor> void forEachSubspace(const Functor&);
 
     void shrink();
@@ -241 +242 @@
 }
 
+template<typename Functor>
+void MarkedSpace::forEachSubspace(const Functor& functor)
+{
+    for (auto subspace : m_subspaces) {
+        if (functor(*subspace) == IterationStatus::Done)
+            return;
+    }
+}
+
+
 ALWAYS_INLINE size_t MarkedSpace::optimalSizeFor(size_t bytes)
 {

branches/safari-608-branch/Source/JavaScriptCore/heap/SlotVisitor.cpp

@@ -287 +287 @@
 {
     ASSERT(m_heap.isMarked(cell));
+#if CPU(X86_64)
+    if (Options::dumpZappedCellCrashData()) {
+        if (UNLIKELY(cell->isZapped()))
+            reportZappedCellAndCrash(cell);
+    }
+#endif
     ASSERT(!cell->isZapped());
-    
+
     container.noteMarked();
     
@@ -391 +397 @@
         // FIXME: This could be so much better.
         // https://bugs.webkit.org/show_bug.cgi?id=162462
+#if CPU(X86_64)
+        if (Options::dumpZappedCellCrashData()) {
+            Structure* structure = cell->structure(vm());
+            if (LIKELY(structure)) {
+                const MethodTable* methodTable = &structure->classInfo()->methodTable;
+                methodTable->visitChildren(const_cast<JSCell*>(cell), *this);
+                break;
+            }
+            reportZappedCellAndCrash(const_cast<JSCell*>(cell));
+        }
+#endif
         cell->methodTable(vm())->visitChildren(const_cast<JSCell*>(cell), *this);
         break;
@@ -810 +827 @@
 }
 
+#if CPU(X86_64)
+NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void SlotVisitor::reportZappedCellAndCrash(JSCell* cell)
+{
+    MarkedBlock::Handle* foundBlock = nullptr;
+    uint32_t* cellWords = reinterpret_cast_ptr<uint32_t*>(this);
+
+    uintptr_t cellAddress = bitwise_cast<uintptr_t>(cell);
+    uintptr_t headerWord = cellWords[1];
+    uintptr_t zapReason = cellWords[2];
+    unsigned subspaceHash = 0;
+    size_t cellSize = 0;
+
+    m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* block) {
+        if (block->contains(cell)) {
+            foundBlock = block;
+            return IterationStatus::Done;
+        }
+        return IterationStatus::Continue;
+    });
+
+    if (foundBlock) {
+        subspaceHash = StringHasher::computeHash(foundBlock->subspace()->name());
+        cellSize = foundBlock->cellSize();
+    }
+
+    CRASH_WITH_INFO(cellAddress, headerWord, zapReason, subspaceHash, cellSize);
+}
+#endif // PLATFORM(MAC)
+
 } // namespace JSC

branches/safari-608-branch/Source/JavaScriptCore/heap/SlotVisitor.h

@@ -228 +228 @@
     bool didReachTermination(const AbstractLocker&);
 
+#if CPU(X86_64)
+    NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCrash(JSCell*);
+#endif
+
     template<typename Func>
     IterationStatus forEachMarkStack(const Func&);

branches/safari-608-branch/Source/JavaScriptCore/jit/AssemblyHelpers.cpp

@@ -547 +547 @@
     // The object is half-allocated: we have what we know is a fresh object, but
     // it's still on the GC's free list.
-    loadPtr(Address(resultGPR), scratchGPR);
+    loadPtr(Address(resultGPR, FreeCell::offsetOfScrambledNext()), scratchGPR);
     storePtr(scratchGPR, Address(allocatorGPR, LocalAllocator::offsetOfFreeList() + FreeList::offsetOfScrambledHead()));
         

branches/safari-608-branch/Source/JavaScriptCore/runtime/Options.cpp

@@ -601 +601 @@
                 }
             }
+#endif
+
+#if CPU(X86_64) && OS(DARWIN)
+            Options::dumpZappedCellCrashData() =
+                (hwPhysicalCPUMax() >= 4) && (hwL3CacheSize() >= static_cast<int64_t>(6 * MB));
 #endif
         });

branches/safari-608-branch/Source/JavaScriptCore/runtime/Options.h

@@ -241 +241 @@
     v(bool, stealEmptyBlocksFromOtherAllocators, true, Normal, nullptr) \
     v(bool, eagerlyUpdateTopCallFrame, false, Normal, nullptr) \
+    v(bool, dumpZappedCellCrashData, false, Normal, nullptr) \
     \
     v(bool, useOSREntryToDFG, true, Normal, nullptr) \

branches/safari-608-branch/Source/JavaScriptCore/runtime/VM.cpp

@@ -266 +266 @@
     , webAssemblyFunctionHeapCellType(std::make_unique<WebAssemblyFunctionHeapCellType>())
 #endif
-    , primitiveGigacageAuxiliarySpace("Primitive Gigacage Auxiliary", heap, auxiliaryHeapCellType.get(), primitiveGigacageAllocator.get())
-    , jsValueGigacageAuxiliarySpace("JSValue Gigacage Auxiliary", heap, auxiliaryHeapCellType.get(), jsValueGigacageAllocator.get())
-    , immutableButterflyJSValueGigacageAuxiliarySpace("ImmutableButterfly Gigacage JSCellWithInteriorPointers", heap, immutableButterflyHeapCellType.get(), jsValueGigacageAllocator.get())
-    , cellSpace("JSCell", heap, cellHeapCellType.get(), fastMallocAllocator.get())
-    , jsValueGigacageCellSpace("JSValue Gigacage JSCell", heap, cellHeapCellType.get(), jsValueGigacageAllocator.get())
-    , destructibleCellSpace("Destructible JSCell", heap, destructibleCellHeapCellType.get(), fastMallocAllocator.get())
-    , stringSpace("JSString", heap, stringHeapCellType.get(), fastMallocAllocator.get())
-    , destructibleObjectSpace("JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
-    , eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get())
-    , executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), ExecutableToCodeBlockEdge)
-    , functionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSFunction)
-    , internalFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), InternalFunction)
-    , nativeExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), NativeExecutable)
-    , propertyTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), PropertyTable)
-    , structureRareDataSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), StructureRareData)
-    , structureSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), Structure)
-    , symbolTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), SymbolTable)
+    , primitiveGigacageAuxiliarySpace("Primitive Gigacage Auxiliary", heap, auxiliaryHeapCellType.get(), primitiveGigacageAllocator.get()) // Hash:0x3e7cd762
+    , jsValueGigacageAuxiliarySpace("JSValue Gigacage Auxiliary", heap, auxiliaryHeapCellType.get(), jsValueGigacageAllocator.get()) // Hash:0x241e946
+    , immutableButterflyJSValueGigacageAuxiliarySpace("ImmutableButterfly Gigacage JSCellWithInteriorPointers", heap, immutableButterflyHeapCellType.get(), jsValueGigacageAllocator.get()) // Hash:0x7a945300
+    , cellSpace("JSCell", heap, cellHeapCellType.get(), fastMallocAllocator.get()) // Hash:0xadfb5a79
+    , jsValueGigacageCellSpace("JSValue Gigacage JSCell", heap, cellHeapCellType.get(), jsValueGigacageAllocator.get()) // Hash:0x2f5b102b
+    , destructibleCellSpace("Destructible JSCell", heap, destructibleCellHeapCellType.get(), fastMallocAllocator.get()) // Hash:0xbfff3d73
+    , stringSpace("JSString", heap, stringHeapCellType.get(), fastMallocAllocator.get()) // Hash:0x90cf758f
+    , destructibleObjectSpace("JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get()) // Hash:0x4f5ed7a9
+    , eagerlySweptDestructibleObjectSpace("Eagerly Swept JSDestructibleObject", heap, destructibleObjectHeapCellType.get(), fastMallocAllocator.get()) // Hash:0x6ebf28e2
+    , executableToCodeBlockEdgeSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), ExecutableToCodeBlockEdge) // Hash:0x7b730b20
+    , functionSpace ISO_SUBSPACE_INIT(heap, cellHeapCellType.get(), JSFunction) // Hash:0x800fca72
+    , internalFunctionSpace ISO_SUBSPACE_INIT(heap, destructibleObjectHeapCellType.get(), InternalFunction) // Hash:0xf845c464
+    , nativeExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), NativeExecutable) // Hash:0x67567f95
+    , propertyTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), PropertyTable) // Hash:0xc6bc9f12
+    , structureRareDataSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), StructureRareData) // Hash:0xaca4e62d
+    , structureSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), Structure) // Hash:0x1f1bcdca
+    , symbolTableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), SymbolTable) // Hash:0xc5215afd
     , executableToCodeBlockEdgesWithConstraints(executableToCodeBlockEdgeSpace)
     , executableToCodeBlockEdgesWithFinalizers(executableToCodeBlockEdgeSpace)
-    , codeBlockSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), CodeBlock)
-    , functionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), FunctionExecutable)
-    , programExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ProgramExecutable)
-    , unlinkedFunctionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), UnlinkedFunctionExecutable)
+    , codeBlockSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), CodeBlock) // Hash:0x77e66ec9
+    , functionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), FunctionExecutable) // Hash:0x5d158f3
+    , programExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), ProgramExecutable) // Hash:0x527c77e7
+    , unlinkedFunctionExecutableSpace ISO_SUBSPACE_INIT(heap, destructibleCellHeapCellType.get(), UnlinkedFunctionExecutable) // Hash:0xf6b828d9
     , vmType(vmType)
     , clientData(0)
@@ -1244 +1244 @@
 
 
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(boundFunctionSpace, cellHeapCellType.get(), JSBoundFunction)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(callbackFunctionSpace, destructibleObjectHeapCellType.get(), JSCallbackFunction)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(customGetterSetterFunctionSpace, cellHeapCellType.get(), JSCustomGetterSetterFunction)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(errorInstanceSpace, destructibleObjectHeapCellType.get(), ErrorInstance)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(nativeStdFunctionSpace, cellHeapCellType.get(), JSNativeStdFunction)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(proxyRevokeSpace, destructibleObjectHeapCellType.get(), ProxyRevoke)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakMapSpace, destructibleObjectHeapCellType.get(), JSWeakMap)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakSetSpace, destructibleObjectHeapCellType.get(), JSWeakSet)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakObjectRefSpace, cellHeapCellType.get(), JSWeakObjectRef)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(boundFunctionSpace, cellHeapCellType.get(), JSBoundFunction) // Hash:0xd7916d41
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(callbackFunctionSpace, destructibleObjectHeapCellType.get(), JSCallbackFunction) // Hash:0xe7648ebc
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(customGetterSetterFunctionSpace, cellHeapCellType.get(), JSCustomGetterSetterFunction) // Hash:0x18091000
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(errorInstanceSpace, destructibleObjectHeapCellType.get(), ErrorInstance) // Hash:0x3f40d4a
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(nativeStdFunctionSpace, cellHeapCellType.get(), JSNativeStdFunction) // Hash:0x70ed61e4
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(proxyRevokeSpace, destructibleObjectHeapCellType.get(), ProxyRevoke) // Hash:0xb506a939
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakMapSpace, destructibleObjectHeapCellType.get(), JSWeakMap) // Hash:0x662b12a3
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakSetSpace, destructibleObjectHeapCellType.get(), JSWeakSet) // Hash:0x4c781b30
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(weakObjectRefSpace, cellHeapCellType.get(), JSWeakObjectRef) // Hash:0x8ec68f1f
 #if JSC_OBJC_API_ENABLED
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(objCCallbackFunctionSpace, destructibleObjectHeapCellType.get(), ObjCCallbackFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(objCCallbackFunctionSpace, destructibleObjectHeapCellType.get(), ObjCCallbackFunction) // Hash:0x10f610b8
 #endif
 #if ENABLE(WEBASSEMBLY)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyCodeBlockSpace, webAssemblyCodeBlockHeapCellType.get(), JSWebAssemblyCodeBlock)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyFunctionSpace, webAssemblyFunctionHeapCellType.get(), WebAssemblyFunction)
-DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyWrapperFunctionSpace, cellHeapCellType.get(), WebAssemblyWrapperFunction)
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyCodeBlockSpace, webAssemblyCodeBlockHeapCellType.get(), JSWebAssemblyCodeBlock) // Hash:0x9ad995cd
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyFunctionSpace, webAssemblyFunctionHeapCellType.get(), WebAssemblyFunction) // Hash:0x8b7c32db
+DYNAMIC_ISO_SUBSPACE_DEFINE_MEMBER_SLOW(webAssemblyWrapperFunctionSpace, cellHeapCellType.get(), WebAssemblyWrapperFunction) // Hash:0xd4a5ff01
 #endif
 
@@ -1274 +1274 @@
     }
 
-DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(evalExecutableSpace, destructibleCellHeapCellType.get(), EvalExecutable)
-DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(moduleProgramExecutableSpace, destructibleCellHeapCellType.get(), ModuleProgramExecutable)
+DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(evalExecutableSpace, destructibleCellHeapCellType.get(), EvalExecutable) // Hash:0x958e3e9d
+DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW(moduleProgramExecutableSpace, destructibleCellHeapCellType.get(), ModuleProgramExecutable) // Hash:0x6506fa3c
 
 #undef DYNAMIC_SPACE_AND_SET_DEFINE_MEMBER_SLOW

branches/safari-608-branch/Source/JavaScriptCore/tools/JSDollarVM.cpp

@@ -1392 +1392 @@
 }
 
+// Dumps the hashes of all subspaces currently registered with the VM.
+// Usage: $vm.dumpSubspaceHashes()
+static EncodedJSValue JSC_HOST_CALL functionDumpSubspaceHashes(ExecState* exec)
+{
+    VM& vm = exec->vm();
+    VMInspector::dumpSubspaceHashes(&vm);
+    return JSValue::encode(jsUndefined());
+}
+
 // Gets a JSDollarVMCallFrame for a specified frame index.
 // Usage: var callFrame = $vm.callFrame(0) // frame 0 is the top frame.
@@ -2218 +2227 @@
     addFunction(vm, "gc", functionGC, 0);
     addFunction(vm, "edenGC", functionEdenGC, 0);
+    addFunction(vm, "dumpSubspaceHashes", functionDumpSubspaceHashes, 0);
 
     addFunction(vm, "callFrame", functionCallFrame, 1);

branches/safari-608-branch/Source/JavaScriptCore/tools/VMInspector.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -627 +627 @@
 }
 
+void VMInspector::dumpSubspaceHashes(VM* vm)
+{
+    unsigned count = 0;
+    vm->heap.objectSpace().forEachSubspace([&] (const Subspace& subspace) -> IterationStatus {
+        const char* name = subspace.name();
+        unsigned hash = StringHasher::computeHash(name);
+        void* hashAsPtr = reinterpret_cast<void*>(static_cast<uintptr_t>(hash));
+        dataLogLn("    [", count++, "] ", name, " Hash:", RawPointer(hashAsPtr));
+        return IterationStatus::Continue;
+    });
+    dataLogLn();
+}
+
 } // namespace JSC

branches/safari-608-branch/Source/JavaScriptCore/tools/VMInspector.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -79 +79 @@
     JS_EXPORT_PRIVATE static void dumpCellMemory(JSCell*);
     JS_EXPORT_PRIVATE static void dumpCellMemoryToStream(JSCell*, PrintStream&);
+    JS_EXPORT_PRIVATE static void dumpSubspaceHashes(VM*);
 
 private:

branches/safari-608-branch/Source/WebCore/ChangeLog

@@ +1 @@
+2019-09-04  Mark Lam  <mark.lam@apple.com>
+
+        Cherry-pick 248143. rdar://problem/55000992
+
+    2019-08-01  Mark Lam  <mark.lam@apple.com>
+
+            Add crash diagnostics for debugging unexpected zapped cells.
+            https://bugs.webkit.org/show_bug.cgi?id=200149
+            <rdar://problem/53570112>
+
+            Reviewed by Yusuke Suzuki.
+
+            No new tests because this is a feature for debugging crashes.  It has been tested
+            manually by modifying the code to force a crash at the point of interest.
+
+            Added some comments to document the hashes of known subspaces.
+
+            * bindings/js/WebCoreJSClientData.cpp:
+            (WebCore::JSVMClientData::JSVMClientData):
+
 2019-09-04  Kocsen Chung  <kocsen_chung@apple.com>
 

branches/safari-608-branch/Source/WebCore/bindings/js/WebCoreJSClientData.cpp

@@ -44 +44 @@
     : m_builtinFunctions(vm)
     , m_builtinNames(&vm)
-    , m_runtimeMethodSpace ISO_SUBSPACE_INIT(vm.heap, vm.destructibleObjectHeapCellType.get(), RuntimeMethod)
-    , m_outputConstraintSpace("WebCore Wrapper w/ Output Constraint", vm.heap, vm.destructibleObjectHeapCellType.get(), vm.fastMallocAllocator.get())
-    , m_globalObjectOutputConstraintSpace("WebCore Global Object w/ Output Constraint", vm.heap, vm.cellHeapCellType.get(), vm.fastMallocAllocator.get())
+    , m_runtimeMethodSpace ISO_SUBSPACE_INIT(vm.heap, vm.destructibleObjectHeapCellType.get(), RuntimeMethod) // Hash:0xf70c4a85
+    , m_outputConstraintSpace("WebCore Wrapper w/ Output Constraint", vm.heap, vm.destructibleObjectHeapCellType.get(), vm.fastMallocAllocator.get()) // Hash:0x7724c2e4
+    , m_globalObjectOutputConstraintSpace("WebCore Global Object w/ Output Constraint", vm.heap, vm.cellHeapCellType.get(), vm.fastMallocAllocator.get()) // Hash:0x522d6ec9
 {
 }