Changeset 205466 in webkit
- Timestamp:
- Sep 5, 2016 7:39:11 PM (8 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r205465 r205466 1 2016-09-05 Filip Pizlo <fpizlo@apple.com> 2 3 Heap::isMarked() should use concurrent lazy flipping 4 https://bugs.webkit.org/show_bug.cgi?id=161613 5 6 Reviewed by Michael Catanzaro. 7 8 I found out about this race condition via 9 https://bugs.webkit.org/show_bug.cgi?id=160125#c233. 10 11 The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark 12 phase. So, they need to lazy-flip in a non-racy way. 13 14 * heap/HeapInlines.h: 15 (JSC::Heap::isLive): 16 (JSC::Heap::isMarked): 17 1 18 2016-09-05 Filip Pizlo <fpizlo@apple.com> 2 19 -
trunk/Source/JavaScriptCore/heap/HeapInlines.h
r205462 r205466 81 81 return cell->largeAllocation().isLive(); 82 82 MarkedBlock& block = cell->markedBlock(); 83 block.flipIfNecessary (block.vm()->heap.objectSpace().version());83 block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version()); 84 84 return block.handle().isLiveCell(cell); 85 85 } … … 91 91 return cell->largeAllocation().isMarked(); 92 92 MarkedBlock& block = cell->markedBlock(); 93 block.flipIfNecessary (block.vm()->heap.objectSpace().version());93 block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version()); 94 94 return block.isMarked(cell); 95 95 }
Note: See TracChangeset
for help on using the changeset viewer.