Changeset 205466 in webkit


Ignore:
Timestamp:
Sep 5, 2016 7:39:11 PM (8 years ago)
Author:
fpizlo@apple.com
Message:

Heap::isMarked() should use concurrent lazy flipping
https://bugs.webkit.org/show_bug.cgi?id=161613

Reviewed by Michael Catanzaro.

I found out about this race condition via
https://bugs.webkit.org/show_bug.cgi?id=160125#c233.

The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
phase. So, they need to lazy-flip in a non-racy way.

  • heap/HeapInlines.h:

(JSC::Heap::isLive):
(JSC::Heap::isMarked):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r205465 r205466  
     12016-09-05  Filip Pizlo  <fpizlo@apple.com>
     2
     3        Heap::isMarked() should use concurrent lazy flipping
     4        https://bugs.webkit.org/show_bug.cgi?id=161613
     5
     6        Reviewed by Michael Catanzaro.
     7       
     8        I found out about this race condition via
     9        https://bugs.webkit.org/show_bug.cgi?id=160125#c233.
     10       
     11        The problem is that we use isMarked, and maybe even isLive, inside the concurrent mark
     12        phase. So, they need to lazy-flip in a non-racy way.
     13
     14        * heap/HeapInlines.h:
     15        (JSC::Heap::isLive):
     16        (JSC::Heap::isMarked):
     17
    1182016-09-05  Filip Pizlo  <fpizlo@apple.com>
    219
  • trunk/Source/JavaScriptCore/heap/HeapInlines.h

    r205462 r205466  
    8181        return cell->largeAllocation().isLive();
    8282    MarkedBlock& block = cell->markedBlock();
    83     block.flipIfNecessary(block.vm()->heap.objectSpace().version());
     83    block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version());
    8484    return block.handle().isLiveCell(cell);
    8585}
     
    9191        return cell->largeAllocation().isMarked();
    9292    MarkedBlock& block = cell->markedBlock();
    93     block.flipIfNecessary(block.vm()->heap.objectSpace().version());
     93    block.flipIfNecessaryConcurrently(block.vm()->heap.objectSpace().version());
    9494    return block.isMarked(cell);
    9595}
Note: See TracChangeset for help on using the changeset viewer.