Changeset 249345 in webkit


Ignore:
Timestamp:
Aug 30, 2019 2:18:16 PM (5 years ago)
Author:
mark.lam@apple.com
Message:

Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
https://bugs.webkit.org/show_bug.cgi?id=201345

Reviewed by Yusuke Suzuki.

This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
the wrong pointer for capture the cell headerWord and zapReason. As a result,
we get junk for those 2 values.

Previously, we were only capturing the upper 32-bits of the cell header slot,
and the lower 32-bit of the next slot in the zapped cell. We now capture the
full 64-bits of both slots. If the second slot did not contain a zapReason as we
expect, the upper 32-bits might give us a clue as to what type of value the slot
contains.

This patch also adds capturing of the found MarkedBlock address for the zapped
cell, as well as some state bit values.

  • heap/SlotVisitor.cpp:

(JSC::SlotVisitor::reportZappedCellAndCrash):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r249337 r249345  
     12019-08-30  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix a bug in SlotVisitor::reportZappedCellAndCrash() and also capture more information.
     4        https://bugs.webkit.org/show_bug.cgi?id=201345
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        This patch fixes a bug where SlotVisitor::reportZappedCellAndCrash() was using
     9        the wrong pointer for capture the cell headerWord and zapReason.  As a result,
     10        we get junk for those 2 values.
     11
     12        Previously, we were only capturing the upper 32-bits of the cell header slot,
     13        and the lower 32-bit of the next slot in the zapped cell.  We now capture the
     14        full 64-bits of both slots.  If the second slot did not contain a zapReason as we
     15        expect, the upper 32-bits might give us a clue as to what type of value the slot
     16        contains.
     17
     18        This patch also adds capturing of the found MarkedBlock address for the zapped
     19        cell, as well as some state bit values.
     20
     21        * heap/SlotVisitor.cpp:
     22        (JSC::SlotVisitor::reportZappedCellAndCrash):
     23
    1242019-08-30  Yusuke Suzuki  <ysuzuki@apple.com>
    225
  • trunk/Source/JavaScriptCore/heap/SlotVisitor.cpp

    r249175 r249345  
    3939#include "JSString.h"
    4040#include "JSCInlines.h"
     41#include "MarkedBlockInlines.h"
    4142#include "MarkingConstraintSolver.h"
    4243#include "SlotVisitorInlines.h"
     
    4647#include <wtf/ListDump.h>
    4748#include <wtf/Lock.h>
     49#include <wtf/StdLibExtras.h>
    4850
    4951namespace JSC {
     
    826828NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void SlotVisitor::reportZappedCellAndCrash(JSCell* cell)
    827829{
    828     MarkedBlock::Handle* foundBlock = nullptr;
    829     uint32_t* cellWords = reinterpret_cast_ptr<uint32_t*>(this);
     830    MarkedBlock::Handle* foundBlockHandle = nullptr;
     831    uint64_t* cellWords = reinterpret_cast_ptr<uint64_t*>(cell);
    830832
    831833    uintptr_t cellAddress = bitwise_cast<uintptr_t>(cell);
    832     uintptr_t headerWord = cellWords[1];
    833     uintptr_t zapReason = cellWords[2];
     834    uint64_t headerWord = cellWords[0];
     835    uint64_t zapReasonAndMore = cellWords[1];
    834836    unsigned subspaceHash = 0;
    835837    size_t cellSize = 0;
    836838
    837     m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* block) {
    838         if (block->contains(cell)) {
    839             foundBlock = block;
     839    m_heap.objectSpace().forEachBlock([&] (MarkedBlock::Handle* blockHandle) {
     840        if (blockHandle->contains(cell)) {
     841            foundBlockHandle = blockHandle;
    840842            return IterationStatus::Done;
    841843        }
     
    843845    });
    844846
    845     if (foundBlock) {
    846         subspaceHash = StringHasher::computeHash(foundBlock->subspace()->name());
    847         cellSize = foundBlock->cellSize();
    848     }
    849 
    850     CRASH_WITH_INFO(cellAddress, headerWord, zapReason, subspaceHash, cellSize);
     847    uint64_t variousState = 0;
     848    MarkedBlock* foundBlock = nullptr;
     849    if (foundBlockHandle) {
     850        foundBlock = &foundBlockHandle->block();
     851        subspaceHash = StringHasher::computeHash(foundBlockHandle->subspace()->name());
     852        cellSize = foundBlockHandle->cellSize();
     853
     854        variousState |= static_cast<uint64_t>(foundBlockHandle->isFreeListed()) << 0;
     855        variousState |= static_cast<uint64_t>(foundBlockHandle->isAllocated()) << 1;
     856        variousState |= static_cast<uint64_t>(foundBlockHandle->isEmpty()) << 2;
     857        variousState |= static_cast<uint64_t>(foundBlockHandle->needsDestruction()) << 3;
     858        variousState |= static_cast<uint64_t>(foundBlock->isNewlyAllocated(cell)) << 4;
     859
     860        ptrdiff_t cellOffset = cellAddress - reinterpret_cast<uint64_t>(foundBlockHandle->start());
     861        bool cellIsProperlyAligned = !(cellOffset % cellSize);
     862        variousState |= static_cast<uint64_t>(cellIsProperlyAligned) << 5;
     863    }
     864
     865    CRASH_WITH_INFO(cellAddress, headerWord, zapReasonAndMore, subspaceHash, cellSize, foundBlock, variousState);
    851866}
    852867#endif // PLATFORM(MAC)
Note: See TracChangeset for help on using the changeset viewer.