Changeset 160822 in webkit

Timestamp:

Dec 18, 2013 8:30:02 PM (10 years ago)

Author:

mhahnenberg@apple.com

Message:

DelayedReleaseScope is in the wrong place
​https://bugs.webkit.org/show_bug.cgi?id=125876

Reviewed by Geoffrey Garen.

The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper.
This location gives us a good safe point between getting ready to allocate (i.e. identifying a non-empty
free list) and doing the actual allocation (popping the free list).

• heap/MarkedAllocator.cpp:

(JSC::MarkedAllocator::tryAllocateHelper):
(JSC::MarkedAllocator::allocateSlowCase):
(JSC::MarkedAllocator::addBlock):

• runtime/JSCellInlines.h:

(JSC::allocateCell):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• heap/MarkedAllocator.cpp (modified) (4 diffs)
• runtime/JSCellInlines.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-12-18  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        DelayedReleaseScope is in the wrong place
+        https://bugs.webkit.org/show_bug.cgi?id=125876
+
+        Reviewed by Geoffrey Garen.
+
+        The DelayedReleaseScope needs to be around the free list sweeping in MarkedAllocator::tryAllocateHelper. 
+        This location gives us a good safe point between getting ready to allocate  (i.e. identifying a non-empty 
+        free list) and doing the actual allocation (popping the free list).
+
+        * heap/MarkedAllocator.cpp:
+        (JSC::MarkedAllocator::tryAllocateHelper):
+        (JSC::MarkedAllocator::allocateSlowCase):
+        (JSC::MarkedAllocator::addBlock):
+        * runtime/JSCellInlines.h:
+        (JSC::allocateCell):
+
 2013-12-18  Gustavo Noronha Silva  <gns@gnome.org>
 

trunk/Source/JavaScriptCore/heap/MarkedAllocator.cpp

@@ -31 +31 @@
 inline void* MarkedAllocator::tryAllocateHelper(size_t bytes)
 {
-    if (!m_freeList.head) {
+    // We need a while loop to check the free list because the DelayedReleaseScope 
+    // could cause arbitrary code to execute and exhaust the free list that we 
+    // thought had elements in it.
+    while (!m_freeList.head) {
+        DelayedReleaseScope delayedReleaseScope(*m_markedSpace);
         if (m_currentBlock) {
             ASSERT(m_currentBlock == m_blocksToSweep);
@@ -60 +64 @@
         }
     }
-    
+
+    ASSERT(m_freeList.head);
     MarkedBlock::FreeCell* head = m_freeList.head;
     m_freeList.head = head->next;
@@ -79 +84 @@
 {
     ASSERT(m_heap->vm()->currentThreadIsHoldingAPILock());
-    DelayedReleaseScope delayedReleaseScope(*m_markedSpace);
 #if COLLECT_ON_EVERY_ALLOCATION
     if (!m_heap->isDeferred())
@@ -127 +131 @@
 void MarkedAllocator::addBlock(MarkedBlock* block)
 {
+    // Satisfy the ASSERT in MarkedBlock::sweep.
+    DelayedReleaseScope delayedReleaseScope(*m_markedSpace);
     ASSERT(!m_currentBlock);
     ASSERT(!m_freeList.head);

trunk/Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -89 +89 @@
     ASSERT(!DisallowGC::isGCDisallowedOnCurrentThread());
     ASSERT(size >= sizeof(T));
-#if ENABLE(GC_VALIDATION)
-    ASSERT(!heap.vm()->isInitializingObject());
-    heap.vm()->setInitializingObjectClass(T::info());
-#endif
     JSCell* result = 0;
     if (T::needsDestruction && T::hasImmortalStructure)
@@ -100 +96 @@
     else 
         result = static_cast<JSCell*>(heap.allocateWithoutDestructor(size));
+#if ENABLE(GC_VALIDATION)
+    ASSERT(!heap.vm()->isInitializingObject());
+    heap.vm()->setInitializingObjectClass(T::info());
+#endif
     result->clearStructure();
     return result;