Changeset 249345 in webkit
- Timestamp:
- Aug 30, 2019 2:18:16 PM (5 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r249337 r249345 1 2019-08-30 Mark Lam <mark.lam@apple.com> 2 3 Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information. 4 https://bugs.webkit.org/show_bug.cgi?id=201345 5 6 Reviewed by Yusuke Suzuki. 7 8 This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using 9 the wrong pointer for capture the cell headerWord and zapReason. As a result, 10 we get junk for those 2 values. 11 12 Previously, we were only capturing the upper 32-bits of the cell header slot, 13 and the lower 32-bit of the next slot in the zapped cell. We now capture the 14 full 64-bits of both slots. If the second slot did not contain a zapReason as we 15 expect, the upper 32-bits might give us a clue as to what type of value the slot 16 contains. 17 18 This patch also adds capturing of the found MarkedBlock address for the zapped 19 cell, as well as some state bit values. 20 21 * heap/SlotVisitor.cpp: 22 (JSC::SlotVisitor::reportZappedCellAndCrash): 23 1 24 2019-08-30 Yusuke Suzuki <ysuzuki@apple.com> 2 25 -
trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp
r249175 r249345 39 39 #include "JSString.h" 40 40 #include "JSCInlines.h" 41 #include "MarkedBlockInlines.h" 41 42 #include "MarkingConstraintSolver.h" 42 43 #include "SlotVisitorInlines.h" … … 46 47 #include <wtf/ListDump.h> 47 48 #include <wtf/Lock.h> 49 #include <wtf/StdLibExtras.h> 48 50 49 51 namespace JSC { … … 826 828 NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void SlotVisitor::reportZappedCellAndCrash(JSCell* cell) 827 829 { 828 MarkedBlock::Handle* foundBlock = nullptr;829 uint 32_t* cellWords = reinterpret_cast_ptr<uint32_t*>(this);830 MarkedBlock::Handle* foundBlockHandle = nullptr; 831 uint64_t* cellWords = reinterpret_cast_ptr<uint64_t*>(cell); 830 832 831 833 uintptr_t cellAddress = bitwise_cast<uintptr_t>(cell); 832 uint ptr_t headerWord = cellWords[1];833 uint ptr_t zapReason = cellWords[2];834 uint64_t headerWord = cellWords[0]; 835 uint64_t zapReasonAndMore = cellWords[1]; 834 836 unsigned subspaceHash = 0; 835 837 size_t cellSize = 0; 836 838 837 m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* block ) {838 if (block ->contains(cell)) {839 foundBlock = block;839 m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* blockHandle) { 840 if (blockHandle->contains(cell)) { 841 foundBlockHandle = blockHandle; 840 842 return IterationStatus::Done; 841 843 } … … 843 845 }); 844 846 845 if (foundBlock) { 846 subspaceHash = StringHasher::computeHash(foundBlock->subspace()->name()); 847 cellSize = foundBlock->cellSize(); 848 } 849 850 CRASH_WITH_INFO(cellAddress, headerWord, zapReason, subspaceHash, cellSize); 847 uint64_t variousState = 0; 848 MarkedBlock* foundBlock = nullptr; 849 if (foundBlockHandle) { 850 foundBlock = &foundBlockHandle->block(); 851 subspaceHash = StringHasher::computeHash(foundBlockHandle->subspace()->name()); 852 cellSize = foundBlockHandle->cellSize(); 853 854 variousState |= static_cast<uint64_t>(foundBlockHandle->isFreeListed()) << 0; 855 variousState |= static_cast<uint64_t>(foundBlockHandle->isAllocated()) << 1; 856 variousState |= static_cast<uint64_t>(foundBlockHandle->isEmpty()) << 2; 857 variousState |= static_cast<uint64_t>(foundBlockHandle->needsDestruction()) << 3; 858 variousState |= static_cast<uint64_t>(foundBlock->isNewlyAllocated(cell)) << 4; 859 860 ptrdiff_t cellOffset = cellAddress - reinterpret_cast<uint64_t>(foundBlockHandle->start()); 861 bool cellIsProperlyAligned = !(cellOffset % cellSize); 862 variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5; 863 } 864 865 CRASH_WITH_INFO(cellAddress, headerWord, zapReasonAndMore, subspaceHash, cellSize, foundBlock, variousState); 851 866 } 852 867 #endif // PLATFORM(MAC)
Note: See TracChangeset
for help on using the changeset viewer.