Changeset 233722 in webkit
- Timestamp:
- Jul 10, 2018, 11:21:22 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 9 edited
Legend:
- Unmodified
- Added
- Removed
-
TabularUnified trunk/JSTests/ChangeLog ¶
r233718 r233722 1 2018-07-10 Mark Lam <mark.lam@apple.com> 2 3 constructArray() should always allocate the requested length. 4 https://bugs.webkit.org/show_bug.cgi?id=187543 5 <rdar://problem/41947884> 6 7 Reviewed by Saam Barati. 8 9 * stress/regress-187543-2.js: Added. 10 * stress/regress-187543-3.js: Added. 11 * stress/regress-187543.js: Added. 12 1 13 2018-07-10 Keith Miller <keith_miller@apple.com> 2 14 -
TabularUnified trunk/Source/JavaScriptCore/ChangeLog ¶
r233721 r233722 1 2018-07-10 Mark Lam <mark.lam@apple.com> 2 3 constructArray() should always allocate the requested length. 4 https://bugs.webkit.org/show_bug.cgi?id=187543 5 <rdar://problem/41947884> 6 7 Reviewed by Saam Barati. 8 9 Currently, it does not when we're having a bad time. We fix this by switching 10 back to using tryCreateUninitializedRestricted() exclusively in constructArray(). 11 If we detect that a structure transition is possible before we can initialize 12 the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly. 13 We will introduce JSArray::eagerlyInitializeButterfly() to handle this. 14 15 Also enhanced the DisallowScope and ObjectInitializationScope to support this 16 eager initialization when needed. 17 18 * dfg/DFGOperations.cpp: 19 - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects 20 the array allocation to always succeed. Adding this RELEASE_ASSERT here makes 21 it clearer that we encountered an OutOfMemory condition instead of failing in FTL 22 generated code, which will appear as a generic null pointer dereference. 23 24 * runtime/ArrayPrototype.cpp: 25 (JSC::concatAppendOne): 26 - the code here clearly wants to check for an allocation failure. Switched to 27 using JSArray::tryCreate() instead of JSArray::create(). 28 29 * runtime/DisallowScope.h: 30 (JSC::DisallowScope::disable): 31 * runtime/JSArray.cpp: 32 (JSC::JSArray::tryCreateUninitializedRestricted): 33 (JSC::JSArray::eagerlyInitializeButterfly): 34 (JSC::constructArray): 35 * runtime/JSArray.h: 36 * runtime/ObjectInitializationScope.cpp: 37 (JSC::ObjectInitializationScope::notifyInitialized): 38 * runtime/ObjectInitializationScope.h: 39 (JSC::ObjectInitializationScope::notifyInitialized): 40 1 41 2018-07-05 Yusuke Suzuki <utatane.tea@gmail.com> 2 42 -
TabularUnified trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp ¶
r233122 r233722 1533 1533 else { 1534 1534 result = JSArray::tryCreate(vm, arrayStructure, size, vectorLengthHint); 1535 ASSERT(result);1535 RELEASE_ASSERT(result); 1536 1536 } 1537 1537 return bitwise_cast<char*>(result); -
TabularUnified trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp ¶
r233245 r233722 1270 1270 1271 1271 Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type); 1272 JSArray* result = JSArray:: create(vm, resultStructure, resultSize);1272 JSArray* result = JSArray::tryCreate(vm, resultStructure, resultSize); 1273 1273 if (UNLIKELY(!result)) { 1274 1274 throwOutOfMemoryError(exec, scope); -
TabularUnified trunk/Source/JavaScriptCore/runtime/DisallowScope.h ¶
r215885 r233722 1 1 /* 2 * Copyright (C) 2017 Apple Inc. All rights reserved.2 * Copyright (C) 2017-2018 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 67 67 } 68 68 69 void disable() 70 { 71 m_isEnabled = false; 72 exitScope(); 73 } 74 69 75 private: 70 76 void enterScope() -
TabularUnified trunk/Source/JavaScriptCore/runtime/JSArray.cpp ¶
r233167 r233722 49 49 50 50 if (UNLIKELY(initialLength > MAX_STORAGE_VECTOR_LENGTH)) 51 return 0;51 return nullptr; 52 52 53 53 unsigned outOfLineStorage = structure->outOfLineCapacity(); … … 79 79 } 80 80 } else { 81 ASSERT( 82 indexingType == ArrayWithSlowPutArrayStorage 83 || indexingType == ArrayWithArrayStorage); 81 84 static const unsigned indexBias = 0; 82 85 unsigned vectorLength = ArrayStorage::optimalVectorLength(indexBias, structure, initialLength); … … 102 105 scope.notifyAllocated(result, createUninitialized); 103 106 return result; 107 } 108 109 void JSArray::eagerlyInitializeButterfly(ObjectInitializationScope& scope, JSArray* array, unsigned initialLength) 110 { 111 Structure* structure = array->structure(scope.vm()); 112 IndexingType indexingType = structure->indexingType(); 113 Butterfly* butterfly = array->butterfly(); 114 115 // This function only serves as a companion to tryCreateUninitializedRestricted() 116 // in the event that we really can't defer initialization of the butterfly after all. 117 // tryCreateUninitializedRestricted() already initialized the elements between 118 // initialLength and vector length. We just need to do 0 - initialLength. 119 // ObjectInitializationScope::notifyInitialized() will verify that all elements are 120 // initialized. 121 if (LIKELY(!hasAnyArrayStorage(indexingType))) { 122 if (hasDouble(indexingType)) { 123 for (unsigned i = 0; i < initialLength; ++i) 124 butterfly->contiguousDouble().atUnsafe(i) = PNaN; 125 } else { 126 for (unsigned i = 0; i < initialLength; ++i) 127 butterfly->contiguous().atUnsafe(i).clear(); 128 } 129 } else { 130 ArrayStorage* storage = butterfly->arrayStorage(); 131 for (unsigned i = 0; i < initialLength; ++i) 132 storage->m_vector[i].clear(); 133 } 134 scope.notifyInitialized(array); 104 135 } 105 136 … … 1341 1372 inline JSArray* constructArray(ObjectInitializationScope& scope, Structure* arrayStructure, unsigned length) 1342 1373 { 1343 // FIXME: We only need this for subclasses of Array because we might need to allocate a new structure to change 1344 // indexing types while initializing. If this triggered a GC then we might scan our currently uninitialized 1345 // array and crash. https://bugs.webkit.org/show_bug.cgi?id=186811 1346 JSArray* array; 1347 if (arrayStructure->globalObject()->isOriginalArrayStructure(arrayStructure)) 1348 array = JSArray::tryCreateUninitializedRestricted(scope, arrayStructure, length); 1349 else { 1350 array = JSArray::create(scope.vm(), arrayStructure, length); 1351 1352 // Our client will initialize the storage using initializeIndex() up to 1353 // length values, and expects that we've already set m_numValuesInVector 1354 // to length. This matches the behavior of tryCreateUninitializedRestricted(). 1355 IndexingType indexingType = arrayStructure->indexingType(); 1356 if (UNLIKELY(hasAnyArrayStorage(indexingType))) 1357 array->butterfly()->arrayStorage()->m_numValuesInVector = length; 1358 } 1374 JSArray* array = JSArray::tryCreateUninitializedRestricted(scope, arrayStructure, length); 1359 1375 1360 1376 // FIXME: we should probably throw an out of memory error here, but … … 1363 1379 // https://bugs.webkit.org/show_bug.cgi?id=169786 1364 1380 RELEASE_ASSERT(array); 1381 1382 // FIXME: We only need this for subclasses of Array because we might need to allocate a new structure to change 1383 // indexing types while initializing. If this triggered a GC then we might scan our currently uninitialized 1384 // array and crash. https://bugs.webkit.org/show_bug.cgi?id=186811 1385 if (!arrayStructure->globalObject()->isOriginalArrayStructure(arrayStructure)) 1386 JSArray::eagerlyInitializeButterfly(scope, array, length); 1387 1365 1388 return array; 1366 1389 } -
TabularUnified trunk/Source/JavaScriptCore/runtime/JSArray.h ¶
r233122 r233722 80 80 return tryCreateUninitializedRestricted(scope, nullptr, structure, initialLength); 81 81 } 82 83 static void eagerlyInitializeButterfly(ObjectInitializationScope&, JSArray*, unsigned initialLength); 82 84 83 85 JS_EXPORT_PRIVATE static bool defineOwnProperty(JSObject*, ExecState*, PropertyName, const PropertyDescriptor&, bool throwException); -
TabularUnified trunk/Source/JavaScriptCore/runtime/ObjectInitializationScope.cpp ¶
r233697 r233722 1 1 /* 2 * Copyright (C) 2017 Apple Inc. All rights reserved.2 * Copyright (C) 2017-2018 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 58 58 } 59 59 60 void ObjectInitializationScope::notifyInitialized(JSObject* object) 61 { 62 if (m_object) { 63 m_disallowGC.disable(); 64 m_disallowVMReentry.disable(); 65 m_object = nullptr; 66 } 67 verifyPropertiesAreInitialized(object); 68 } 69 60 70 void ObjectInitializationScope::verifyPropertiesAreInitialized(JSObject* object) 61 71 { -
TabularUnified trunk/Source/JavaScriptCore/runtime/ObjectInitializationScope.h ¶
r215885 r233722 1 1 /* 2 * Copyright (C) 2017 Apple Inc. All rights reserved.2 * Copyright (C) 2017-2018 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 44 44 ALWAYS_INLINE VM& vm() const { return m_vm; } 45 45 ALWAYS_INLINE void notifyAllocated(JSObject*, bool) { } 46 ALWAYS_INLINE void notifyInitialized(JSObject*) { } 46 47 47 48 private: … … 58 59 VM& vm() const { return m_vm; } 59 60 void notifyAllocated(JSObject*, bool wasCreatedUninitialized); 61 void notifyInitialized(JSObject*); 60 62 61 63 private:
Note:
See TracChangeset
for help on using the changeset viewer.