Changeset 259418 in webkit

Timestamp:

Apr 2, 2020 2:48:29 PM (4 years ago)

Author:

mark.lam@apple.com

Message:

HeapSnapshotBuilder::analyzeNode() should filter out duplicate cells.
​https://bugs.webkit.org/show_bug.cgi?id=209929
<rdar://problem/60974478>

Reviewed by Keith Miller.

HeapSnapshot::finalize() assumes that its list of cells contain no duplicate cells.
HeapSnapshot::appendNode() expects to only be called once for a cell. It doesn't
check for duplicates.

However, with the concurrent GC marker, there’s a racy chance that the same cell
is visited more than once by SlotVisitor, and therefore, SlotVisitor may call
HeapSnapshotBuilder::analyzeNode() (and HeapSnapshot::appendNode()) more than once
for the same cell.

The easiest and cleanest fix for this is to simply keep a HashSet of appended
cells in HeapSnapshotBuilder while it is building the snapshot. We can then use
the hash set to filter out already appended cells, and avoid adding duplicates to
the HeapSnapshot.

• heap/HeapSnapshotBuilder.cpp:

(JSC::HeapSnapshotBuilder::buildSnapshot):
(JSC::HeapSnapshotBuilder::analyzeNode):

• heap/HeapSnapshotBuilder.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• heap/HeapSnapshotBuilder.cpp (modified) (3 diffs)
• heap/HeapSnapshotBuilder.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2020-04-02  Mark Lam  <mark.lam@apple.com>
+
+        HeapSnapshotBuilder::analyzeNode() should filter out duplicate cells.
+        https://bugs.webkit.org/show_bug.cgi?id=209929
+        <rdar://problem/60974478>
+
+        Reviewed by Keith Miller.
+
+        HeapSnapshot::finalize() assumes that its list of cells contain no duplicate cells.
+        HeapSnapshot::appendNode() expects to only be called once for a cell.  It doesn't
+        check for duplicates.
+
+        However, with the concurrent GC marker, there’s a racy chance that the same cell
+        is visited more than once by SlotVisitor, and therefore, SlotVisitor may call
+        HeapSnapshotBuilder::analyzeNode() (and HeapSnapshot::appendNode()) more than once
+        for the same cell.
+
+        The easiest and cleanest fix for this is to simply keep a HashSet of appended
+        cells in HeapSnapshotBuilder while it is building the snapshot.  We can then use
+        the hash set to filter out already appended cells, and avoid adding duplicates to
+        the HeapSnapshot.
+
+        * heap/HeapSnapshotBuilder.cpp:
+        (JSC::HeapSnapshotBuilder::buildSnapshot):
+        (JSC::HeapSnapshotBuilder::analyzeNode):
+        * heap/HeapSnapshotBuilder.h:
+
 2020-04-02  Angelos Oikonomopoulos  <angelos@igalia.com>
 

trunk/Source/JavaScriptCore/heap/HeapSnapshotBuilder.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -74 +74 @@
         m_profiler.setActiveHeapAnalyzer(nullptr);
     }
-    m_snapshot->finalize();
-
+
+    {
+        auto locker = holdLock(m_buildingNodeMutex);
+        m_appendedCells.clear();
+        m_snapshot->finalize();
+    }
     m_profiler.appendSnapshot(WTFMove(m_snapshot));
 }
@@ -90 +94 @@
 
     auto locker = holdLock(m_buildingNodeMutex);
+    auto addResult = m_appendedCells.add(cell);
+    if (!addResult.isNewEntry)
+        return;
     m_snapshot->appendNode(HeapSnapshotNode(cell, getNextObjectIdentifier()));
 }

trunk/Source/JavaScriptCore/heap/HeapSnapshotBuilder.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -155 +155 @@
     HashMap<JSCell*, void*> m_wrappedObjectPointers;
     HashMap<JSCell*, String> m_cellLabels;
+    HashSet<JSCell*> m_appendedCells;
     SnapshotType m_snapshotType;
 };