Context Navigation

← Previous Changeset
Next Changeset →

Changeset 274727 in webkit

Timestamp:

Mar 19, 2021 10:48:47 AM (3 years ago)

Author:

mark.lam@apple.com

Message:

BrandedStructure should keep its members alive.
https://bugs.webkit.org/show_bug.cgi?id=223495
rdar://75565765

Reviewed by Saam Barati.

JSTests:

stress/BrandedStructure-should-keep-its-members-alive.js: Added.

Source/JavaScriptCore:

Normally, each type of JSCell would have its own structure (and therefore, its own
ClassInfo, MethodTable, etc), which would have handled visiting m_parentBrand.
Similarly, it would have its own destructor, which would deref m_brand.

However, the design of BrandedStructure is not like other JSCells. As present,
we have chosen to go with having BrandedStructure look exactly like a regular
Structure, except that its isBrandedStructure flag is set to true.

This design has advantages because we do checks all over the system for whether
a cell is a Structure by simply comparing its structureID to structureStructure's
structureID. By virtue of BrandedStructure having the same structure as Structure,
none of this code need to change.

The downside is that we need to enhance Structure's methods to check if it is
actually working on an instance of BrandedStructure, and do some additional work.

This patch fixes 2 bugs:

m_parentBrand was not visited by visitChildren().

Structure::visitChildrenImpl() now calls BrandedStructure::visitAdditionalChildren()
to handle this.

m_brand needs to be ref'ed.

In Structure::setBrandTransition(), if the BrandedStructure is a dictionary,
then its m_transitionPropertyName will be cleared. m_transitionPropertyName
was the only means by which the UniqueStringImpl pointed to by m_brand was
ref'ed. The fix is to make m_brand a RefPtr.

Hence, it follows that we also need to deref m_brand on destruction.
Structure's destructor now calls BrandedStructure::destruct() to handle this.

runtime/BrandedStructure.h:
runtime/Structure.cpp:

(JSC::Structure::~Structure):
(JSC::Structure::visitChildrenImpl):

Location:

trunk

Files:

: 1 added
: 4 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/BrandedStructure-should-keep-its-members-alive.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/runtime/BrandedStructure.h (modified) (2 diffs)
Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r274703
+                      r274727
+-03-19  Mark Lam  <mark.lam@apple.com>
+        BrandedStructure should keep its members alive.
+        https://bugs.webkit.org/show_bug.cgi?id=223495
+        rdar://75565765
+        Reviewed by Saam Barati.
+        * stress/BrandedStructure-should-keep-its-members-alive.js: Added.
 == Rolled over to ChangeLog-2021-03-18 ==

trunk/Source/JavaScriptCore/ChangeLog

-                      r274724
+                      r274727
+-03-19  Mark Lam  <mark.lam@apple.com>
+        BrandedStructure should keep its members alive.
+        https://bugs.webkit.org/show_bug.cgi?id=223495
+        rdar://75565765
+        Reviewed by Saam Barati.
+        Normally, each type of JSCell would have its own structure (and therefore, its own
+        ClassInfo, MethodTable, etc), which would have handled visiting m_parentBrand.
+        Similarly, it would have its own destructor, which would deref m_brand.
+        However, the design of BrandedStructure is not like other JSCells.  As present,
+        we have chosen to go with having BrandedStructure look exactly like a regular
+        Structure, except that its isBrandedStructure flag is set to true.
+        This design has advantages because we do checks all over the system for whether
+        a cell is a Structure by simply comparing its structureID to structureStructure's
+        structureID.  By virtue of BrandedStructure having the same structure as Structure,
+        none of this code need to change.
+        The downside is that we need to enhance Structure's methods to check if it is
+        actually working on an instance of BrandedStructure, and do some additional work.
+        This patch fixes 2 bugs:
+. m_parentBrand was not visited by visitChildren().
+           Structure::visitChildrenImpl() now calls BrandedStructure::visitAdditionalChildren()
+           to handle this.
+. m_brand needs to be ref'ed.
+           In Structure::setBrandTransition(), if the BrandedStructure is a dictionary,
+           then its m_transitionPropertyName will be cleared.  m_transitionPropertyName
+           was the only means by which the UniqueStringImpl pointed to by m_brand was
+           ref'ed.  The fix is to make m_brand a RefPtr.
+           Hence, it follows that we also need to deref m_brand on destruction.
+           Structure's destructor now calls BrandedStructure::destruct() to handle this.
+        * runtime/BrandedStructure.h:
+        * runtime/Structure.cpp:
+        (JSC::Structure::~Structure):
+        (JSC::Structure::visitChildrenImpl):
 -03-19  Sam Weinig  <weinig@apple.com>

trunk/Source/JavaScriptCore/runtime/BrandedStructure.h

-                      r272580
+                      r274727
+    }
+private:
+    template<typename Visitor>
+    static void visitAdditionalChildren(JSCell* cell, Visitor& visitor)
+    {
+        BrandedStructure* thisObject = jsCast<BrandedStructure*>(cell);
+        visitor.append(thisObject->m_parentBrand);
+    }
+private:
     BrandedStructure(VM&, Structure*, UniquedStringImpl* brand, DeferredStructureTransitionWatchpointFire*);
     BrandedStructure(VM&, BrandedStructure*, DeferredStructureTransitionWatchpointFire*);
 …
     static Structure* create(VM&, Structure*, UniquedStringImpl* brand, DeferredStructureTransitionWatchpointFire* = nullptr);
+    UniquedStringImpl* m_brand;
+    void destruct()
+    {
+        m_brand = nullptr;
+    }
+    RefPtr<UniquedStringImpl> m_brand;
     WriteBarrier<BrandedStructure> m_parentBrand;

trunk/Source/JavaScriptCore/runtime/Structure.cpp

-                      r273138
+                      r274727
     if (typeInfo().structureIsImmortal())
         return;
+    if (isBrandedStructure())
+        static_cast<BrandedStructure*>(this)->destruct();
     Heap::heap(this)->structureIDTable().deallocateID(this, m_blob.structureID());
+}
 …
     else if (thisObject->m_propertyTableUnsafe)
         thisObject->m_propertyTableUnsafe.clear();
+    if (thisObject->isBrandedStructure())
+        BrandedStructure::visitAdditionalChildren(cell, visitor);
+}

Note: See TracChangeset for help on using the changeset viewer.