Changeset 252024 in webkit

Timestamp:

Nov 4, 2019 3:57:34 PM (5 years ago)

Author:

sbarati@apple.com

Message:

Don't use memmove/memcpy/memset for memory that can be scanned concurrently
​https://bugs.webkit.org/show_bug.cgi?id=203228
<rdar://problem/56401852>

Reviewed by Robin Morisset.

JSTests:

• stress/torn-js-value-concurrent-collector.js: Added.

(foo):

Source/JavaScriptCore:

We had code inside various places of the runtime which would call into system
memcpy/memmove/memset when updating a live butterfly. This means that the
concurrent collector could be scanning such butterflies while a memcpy/memmove/memset
was running. Those functions don't guarantee anything about the minimum
alignment of the stores they do. And implementations for them frequently have
byte copy loops for low byte copy counts. This lead to us seeing torn JSValues
inside the concurrent collector during Array.prototype.splice. This patch
introduces new functions for doing memcpy/memmove/memset for data structures
which may be concurrently scanned. The loops are written using inline assembly
for gcc compatible compilers on 64 bit platforms. The inline assembly
ensures we never write to memory using instructions that store fewer
than 8 bytes. On other platforms, we just use a volatile pointer to
ensure the compiler doesn't turn the loop into a function call or a
series of stores which may be smaller than 8 bytes.

• CMakeLists.txt:
• JavaScriptCore.xcodeproj/project.pbxproj:
• heap/GCMemoryOperations.h: Added.

(JSC::gcSafeMemcpy):
(JSC::gcSafeMemmove):
(JSC::gcSafeZeroMemory):

• heap/Heap.h:
• runtime/ArrayConventions.cpp:

(JSC::clearArrayMemset):

• runtime/ArrayPrototype.cpp:

(JSC::copyElements):

• runtime/ButterflyInlines.h:

(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::reallocArrayRightIfPossible):
(JSC::Butterfly::resizeArray):
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):

• runtime/JSArray.cpp:

(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):

• runtime/JSObject.cpp:

(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::shiftButterflyAfterFlattening):

• runtime/JSObject.h:
• runtime/RegExpMatchesArray.h:

(JSC::createRegExpMatchesArray):

• runtime/Structure.cpp:

(JSC::Structure::flattenDictionaryStructure):

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/torn-js-value-concurrent-collector.js (added)
• Source/JavaScriptCore/CMakeLists.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/heap/GCMemoryOperations.h (added)
• Source/JavaScriptCore/heap/Heap.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayConventions.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ArrayPrototype.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/ButterflyInlines.h (modified) (7 diffs)
• Source/JavaScriptCore/runtime/JSArray.cpp (modified) (9 diffs)
• Source/JavaScriptCore/runtime/JSObject.cpp (modified) (3 diffs)
• Source/JavaScriptCore/runtime/JSObject.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/RegExpMatchesArray.h (modified) (1 diff)
• Source/JavaScriptCore/runtime/Structure.cpp (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-11-04  Saam Barati  <sbarati@apple.com>
+
+        Don't use memmove/memcpy/memset for memory that can be scanned concurrently
+        https://bugs.webkit.org/show_bug.cgi?id=203228
+        <rdar://problem/56401852>
+
+        Reviewed by Robin Morisset.
+
+        * stress/torn-js-value-concurrent-collector.js: Added.
+        (foo):
+
 2019-11-03  Tadeu Zagallo  <tzagallo@apple.com>
 

trunk/Source/JavaScriptCore/CMakeLists.txt

@@ -596 +596 @@
     heap/GCIncomingRefCountedSet.h
     heap/GCLogging.h
+    heap/GCMemoryOperations.h
     heap/GCRequest.h
     heap/GCSegmentedArray.h

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-11-04  Saam Barati  <sbarati@apple.com>
+
+        Don't use memmove/memcpy/memset for memory that can be scanned concurrently
+        https://bugs.webkit.org/show_bug.cgi?id=203228
+        <rdar://problem/56401852>
+
+        Reviewed by Robin Morisset.
+
+        We had code inside various places of the runtime which would call into system
+        memcpy/memmove/memset when updating a live butterfly. This means that the
+        concurrent collector could be scanning such butterflies while a memcpy/memmove/memset
+        was running. Those functions don't guarantee anything about the minimum
+        alignment of the stores they do. And implementations for them frequently have
+        byte copy loops for low byte copy counts. This lead to us seeing torn JSValues
+        inside the concurrent collector during Array.prototype.splice. This patch
+        introduces new functions for doing memcpy/memmove/memset for data structures
+        which may be concurrently scanned. The loops are written using inline assembly
+        for gcc compatible compilers on 64 bit platforms. The inline assembly
+        ensures we never write to memory using instructions that store fewer
+        than 8 bytes. On other platforms, we just use a volatile pointer to
+        ensure the compiler doesn't turn the loop into a function call or a
+        series of stores which may be smaller than 8 bytes.
+
+        * CMakeLists.txt:
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * heap/GCMemoryOperations.h: Added.
+        (JSC::gcSafeMemcpy):
+        (JSC::gcSafeMemmove):
+        (JSC::gcSafeZeroMemory):
+        * heap/Heap.h:
+        * runtime/ArrayConventions.cpp:
+        (JSC::clearArrayMemset):
+        * runtime/ArrayPrototype.cpp:
+        (JSC::copyElements):
+        * runtime/ButterflyInlines.h:
+        (JSC::Butterfly::tryCreate):
+        (JSC::Butterfly::createOrGrowPropertyStorage):
+        (JSC::Butterfly::growArrayRight):
+        (JSC::Butterfly::reallocArrayRightIfPossible):
+        (JSC::Butterfly::resizeArray):
+        (JSC::Butterfly::unshift):
+        (JSC::Butterfly::shift):
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        (JSC::JSArray::appendMemcpy):
+        (JSC::JSArray::fastSlice):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::shiftCountWithAnyIndexingType):
+        (JSC::JSArray::unshiftCountWithArrayStorage):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
+        (JSC::JSObject::convertFromCopyOnWrite):
+        (JSC::JSObject::shiftButterflyAfterFlattening):
+        * runtime/JSObject.h:
+        * runtime/RegExpMatchesArray.h:
+        (JSC::createRegExpMatchesArray):
+        * runtime/Structure.cpp:
+        (JSC::Structure::flattenDictionaryStructure):
+
 2019-11-04  Truitt Savell  <tsavell@apple.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -893 +893 @@
                 521131F71F82BF14007CCEEE /* PolyProtoAccessChain.h in Headers */ = {isa = PBXBuildFile; fileRef = 521131F61F82BF11007CCEEE /* PolyProtoAccessChain.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 521322461ECBCE8200F65615 /* WebAssemblyFunctionBase.h in Headers */ = {isa = PBXBuildFile; fileRef = 521322441ECBCE8200F65615 /* WebAssemblyFunctionBase.h */; };
+                522927D5235FD0B9005CB169 /* GCMemoryOperations.h in Headers */ = {isa = PBXBuildFile; fileRef = 5272987B235FC8BA005C982C /* GCMemoryOperations.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 523FD88E225566C9003B3DCC /* WebAssemblyFunctionHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 523FD88C225566C3003B3DCC /* WebAssemblyFunctionHeapCellType.h */; };
                 524E9D7322092B5200A6BEEE /* AirAllocateRegistersAndStackAndGenerateCode.h in Headers */ = {isa = PBXBuildFile; fileRef = 524E9D7222092B4600A6BEEE /* AirAllocateRegistersAndStackAndGenerateCode.h */; };
@@ -3552 +3553 @@
                 526AC4B41E977C5D003500E1 /* WasmCodeBlock.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WasmCodeBlock.cpp; sourceTree = "<group>"; };
                 526AC4B51E977C5D003500E1 /* WasmCodeBlock.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WasmCodeBlock.h; sourceTree = "<group>"; };
+                5272987B235FC8BA005C982C /* GCMemoryOperations.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = GCMemoryOperations.h; sourceTree = "<group>"; };
                 527773DD1AAF83AC00BDE7E8 /* RuntimeType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = RuntimeType.cpp; sourceTree = "<group>"; };
                 527CE35222555FDD00C6F382 /* JSToWasmICCallee.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; name = JSToWasmICCallee.cpp; path = js/JSToWasmICCallee.cpp; sourceTree = "<group>"; };
@@ -6150 +6152 @@
                                 2ADFA26218EF3540004F9FCC /* GCLogging.cpp */,
                                 2AABCDE618EF294200002096 /* GCLogging.h */,
+                                5272987B235FC8BA005C982C /* GCMemoryOperations.h */,
                                 0F97152E1EB28BE900A1645D /* GCRequest.cpp */,
                                 0F97152F1EB28BE900A1645D /* GCRequest.h */,
@@ -8928 +8931 @@
                                 3395C70722555F6D00BDBFAD /* B3EliminateDeadCode.h in Headers */,
                                 0F5BF1711F23A5A10029D91D /* B3EnsureLoopPreHeaders.h in Headers */,
+                                522927D5235FD0B9005CB169 /* GCMemoryOperations.h in Headers */,
                                 5318045C22EAAC4B004A7342 /* B3ExtractValue.h in Headers */,
                                 0F6971EA1D92F42400BA02A5 /* B3FenceValue.h in Headers */,

trunk/Source/JavaScriptCore/heap/Heap.h

@@ -29 +29 @@
 #include "GCConductor.h"
 #include "GCIncomingRefCountedSet.h"
+#include "GCMemoryOperations.h"
 #include "GCRequest.h"
 #include "HandleSet.h"

trunk/Source/JavaScriptCore/runtime/ArrayConventions.cpp

@@ -34 +34 @@
 void clearArrayMemset(WriteBarrier<Unknown>* base, unsigned count)
 {
-#if CPU(X86_64) && COMPILER(GCC_COMPATIBLE)
-    uint64_t zero = 0;
-    asm volatile (
-        "rep stosq\n\t"
-        : "+D"(base), "+c"(count)
-        : "a"(zero)
-        : "memory"
-        );
-#else // not CPU(X86_64)
-    memset(base, 0, count * sizeof(WriteBarrier<Unknown>));
-#endif // generic CPU
+    gcSafeZeroMemory(base, count * sizeof(WriteBarrier<Unknown>));
 }
 

trunk/Source/JavaScriptCore/runtime/ArrayPrototype.cpp

@@ -1488 +1488 @@
 
 template<typename T>
-ALWAYS_INLINE void copyElements(T* buffer, unsigned offset, void* source, unsigned sourceSize, IndexingType sourceType)
+ALWAYS_INLINE void copyElements(T* buffer, unsigned offset, T* source, unsigned sourceSize, IndexingType sourceType)
 {
     if (sourceType != ArrayWithUndecided) {
-        memcpy(buffer + offset, source, sizeof(JSValue) * sourceSize);
+        gcSafeMemcpy(buffer + offset, source, sizeof(JSValue) * sourceSize);
         return;
     }

trunk/Source/JavaScriptCore/runtime/ButterflyInlines.h

@@ -105 +105 @@
     if (hasIndexingHeader)
         *result->indexingHeader() = indexingHeader;
-    memset(result->propertyStorage() - propertyCapacity, 0, propertyCapacity * sizeof(EncodedJSValue));
+    gcSafeZeroMemory(result->propertyStorage() - propertyCapacity, propertyCapacity * sizeof(EncodedJSValue));
     return result;
 }
@@ -140 +140 @@
     bool hasIndexingHeader = structure->hasIndexingHeader(intendedOwner);
     Butterfly* result = createUninitialized(vm, intendedOwner, preCapacity, newPropertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes);
-    memcpy(
+    gcSafeMemcpy(
         result->propertyStorage() - oldPropertyCapacity,
         oldButterfly->propertyStorage() - oldPropertyCapacity,
         totalSize(0, oldPropertyCapacity, hasIndexingHeader, indexingPayloadSizeInBytes));
-    memset(
+    gcSafeZeroMemory(
         result->propertyStorage() - newPropertyCapacity,
-        0,
         (newPropertyCapacity - oldPropertyCapacity) * sizeof(EncodedJSValue));
     return result;
@@ -180 +179 @@
         return nullptr;
     // FIXME: This probably shouldn't be a memcpy.
-    memcpy(newBase, theBase, oldSize);
+    gcSafeMemcpy(static_cast<JSValue*>(newBase), static_cast<JSValue*>(theBase), oldSize);
     return fromBase(newBase, 0, propertyCapacity);
 }
@@ -222 +221 @@
     if (!newBase)
         return nullptr;
-    memcpy(newBase, theBase, oldSize);
+    gcSafeMemcpy(static_cast<JSValue*>(newBase), static_cast<JSValue*>(theBase), oldSize);
     return fromBase(newBase, 0, propertyCapacity);
 }
@@ -239 +238 @@
         totalSize(0, propertyCapacity, oldHasIndexingHeader, oldIndexingPayloadSizeInBytes),
         totalSize(0, propertyCapacity, newHasIndexingHeader, newIndexingPayloadSizeInBytes));
-    memcpy(to, from, size);
+    gcSafeMemcpy(static_cast<JSValue*>(to), static_cast<JSValue*>(from), size);
     return result;
 }
@@ -266 +265 @@
     // we rely on the compiler to recognize the ordering of the pointer arguments (since
     // propertyCapacity is variable and could cause wrap-around as far as the compiler knows).
-    memmove(
+    gcSafeMemmove(
         propertyStorage() - numberOfSlots - propertyCapacity,
         propertyStorage() - propertyCapacity,
@@ -278 +277 @@
     unsigned propertyCapacity = structure->outOfLineCapacity();
     // FIXME: See comment in unshift(), above.
-    memmove(
+    gcSafeMemmove(
         propertyStorage() - propertyCapacity + numberOfSlots,
         propertyStorage() - propertyCapacity,

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -422 +422 @@
     if (addToFront) {
         ASSERT(count + usedVectorLength <= newVectorLength);
-        memmove(newButterfly->arrayStorage()->m_vector + count, storage->m_vector, sizeof(JSValue) * usedVectorLength);
-        memmove(newButterfly->propertyStorage() - propertySize, butterfly->propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
+        gcSafeMemmove(newButterfly->arrayStorage()->m_vector + count, storage->m_vector, sizeof(JSValue) * usedVectorLength);
+        gcSafeMemmove(newButterfly->propertyStorage() - propertySize, butterfly->propertyStorage() - propertySize, sizeof(JSValue) * propertySize + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
 
         // We don't need to zero the pre-capacity for the concurrent GC because it is not available to use as property storage.
-        memset(newButterfly->base(0, propertyCapacity), 0, (propertyCapacity - propertySize) * sizeof(JSValue));
+        gcSafeZeroMemory(static_cast<JSValue*>(newButterfly->base(0, propertyCapacity)), (propertyCapacity - propertySize) * sizeof(JSValue));
 
         if (allocatedNewStorage) {
@@ -435 +435 @@
         }
     } else if ((newAllocBase != butterfly->base(structure)) || (preCapacity != storage->m_indexBias)) {
-        memmove(newButterfly->propertyStorage() - propertyCapacity, butterfly->propertyStorage() - propertyCapacity, sizeof(JSValue) * propertyCapacity + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
-        memmove(newButterfly->arrayStorage()->m_vector, storage->m_vector, sizeof(JSValue) * usedVectorLength);
+        gcSafeMemmove(newButterfly->propertyStorage() - propertyCapacity, butterfly->propertyStorage() - propertyCapacity, sizeof(JSValue) * propertyCapacity + sizeof(IndexingHeader) + ArrayStorage::sizeFor(0));
+        gcSafeMemmove(newButterfly->arrayStorage()->m_vector, storage->m_vector, sizeof(JSValue) * usedVectorLength);
         
         for (unsigned i = requiredVectorLength; i < newVectorLength; i++)
@@ -570 +570 @@
         }
     } else if (type == ArrayWithDouble)
-        memcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
+        gcSafeMemcpy(butterfly()->contiguousDouble().data() + startIndex, otherArray->butterfly()->contiguousDouble().data(), sizeof(JSValue) * otherLength);
     else {
-        memcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
+        gcSafeMemcpy(butterfly()->contiguous().data() + startIndex, otherArray->butterfly()->contiguous().data(), sizeof(JSValue) * otherLength);
         vm.heap.writeBarrier(this);
     }
@@ -790 +790 @@
         auto& resultButterfly = *resultArray->butterfly();
         if (arrayType == ArrayWithDouble)
-            memcpy(resultButterfly.contiguousDouble().data(), butterfly()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
+            gcSafeMemcpy(resultButterfly.contiguousDouble().data(), butterfly()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
         else
-            memcpy(resultButterfly.contiguous().data(), butterfly()->contiguous().data() + startIndex, sizeof(JSValue) * count);
+            gcSafeMemcpy(resultButterfly.contiguous().data(), butterfly()->contiguous().data() + startIndex, sizeof(JSValue) * count);
 
         ASSERT(resultButterfly.publicLength() == count);
@@ -850 +850 @@
         if (numElementsBeforeShiftRegion) {
             RELEASE_ASSERT(count + startIndex <= vectorLength);
-            memmove(storage->m_vector + count,
+            gcSafeMemmove(storage->m_vector + count,
                 storage->m_vector,
                 sizeof(JSValue) * startIndex);
@@ -868 +868 @@
         // The number of elements before the shift region is greater than or equal to the number 
         // of elements after the shift region, so we move the elements after the shift region to the left.
-        memmove(storage->m_vector + startIndex,
+        gcSafeMemmove(storage->m_vector + startIndex,
             storage->m_vector + firstIndexAfterShiftRegion,
             sizeof(JSValue) * numElementsAfterShiftRegion);
@@ -928 +928 @@
             }
         } else {
-            memmove(butterfly->contiguous().data() + startIndex, 
+            gcSafeMemmove(butterfly->contiguous().data() + startIndex, 
                 butterfly->contiguous().data() + startIndex + count, 
                 sizeof(JSValue) * (end - startIndex));
@@ -970 +970 @@
             }
         } else {
-            memmove(butterfly->contiguousDouble().data() + startIndex,
+            gcSafeMemmove(butterfly->contiguousDouble().data() + startIndex,
                 butterfly->contiguousDouble().data() + startIndex + count,
                 sizeof(JSValue) * (end - startIndex));
@@ -1034 +1034 @@
     if (startIndex) {
         if (moveFront)
-            memmove(vector, vector + count, startIndex * sizeof(JSValue));
+            gcSafeMemmove(vector, vector + count, startIndex * sizeof(JSValue));
         else if (length - startIndex)
-            memmove(vector + startIndex + count, vector + startIndex, (length - startIndex) * sizeof(JSValue));
+            gcSafeMemmove(vector + startIndex + count, vector + startIndex, (length - startIndex) * sizeof(JSValue));
     }
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -1208 +1208 @@
     Butterfly* newButterfly = Butterfly::createUninitialized(vm, this, 0, propertyCapacity, true, ArrayStorage::sizeFor(neededLength));
     
-    memcpy(
-        newButterfly->base(0, propertyCapacity),
-        m_butterfly->base(0, propertyCapacity),
+    gcSafeMemcpy(
+        static_cast<JSValue*>(newButterfly->base(0, propertyCapacity)),
+        static_cast<JSValue*>(m_butterfly->base(0, propertyCapacity)),
         propertyCapacity * sizeof(EncodedJSValue));
 
@@ -1501 +1501 @@
     Butterfly* newButterfly = Butterfly::createUninitialized(vm, this, 0, propertyCapacity, hasIndexingHeader, newVectorLength * sizeof(JSValue));
 
-    memcpy(newButterfly->propertyStorage(), oldButterfly->propertyStorage(), oldButterfly->vectorLength() * sizeof(JSValue) + sizeof(IndexingHeader));
+    gcSafeMemcpy(newButterfly->propertyStorage(), oldButterfly->propertyStorage(), oldButterfly->vectorLength() * sizeof(JSValue) + sizeof(IndexingHeader));
 
     WTF::storeStoreFence();
@@ -3780 +3780 @@
     void* newBase = newButterfly->base(0, outOfLineCapacityAfter);
 
-    memcpy(newBase, currentBase, Butterfly::totalSize(0, outOfLineCapacityAfter, hasIndexingHeader, indexingPayloadSizeInBytes));
+    gcSafeMemcpy(static_cast<JSValue*>(newBase), static_cast<JSValue*>(currentBase), Butterfly::totalSize(0, outOfLineCapacityAfter, hasIndexingHeader, indexingPayloadSizeInBytes));
     
     setButterfly(vm, newButterfly);

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -1181 +1181 @@
         : JSObject(vm, structure, butterfly)
     {
-        memset(inlineStorageUnsafe(), 0, structure->inlineCapacity() * sizeof(EncodedJSValue));
+        gcSafeZeroMemory(inlineStorageUnsafe(), structure->inlineCapacity() * sizeof(EncodedJSValue));
     }
 };

trunk/Source/JavaScriptCore/runtime/RegExpMatchesArray.h

@@ -99 +99 @@
         auto capacity = matchStructure->outOfLineCapacity();
         auto size = matchStructure->outOfLineSize();
-        memset(array->butterfly()->base(0, capacity), 0, (capacity - size) * sizeof(JSValue));
+        gcSafeZeroMemory(static_cast<JSValue*>(array->butterfly()->base(0, capacity)), (capacity - size) * sizeof(JSValue));
     };
 

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -778 +778 @@
         // We need to zero our unused property space; otherwise the GC might see a
         // stale pointer when we add properties in the future.
-        memset(
+        gcSafeZeroMemory(
             object->inlineStorageUnsafe() + inlineSize(),
-            0,
             (inlineCapacity() - inlineSize()) * sizeof(EncodedJSValue));
 
@@ -787 +786 @@
         void* base = butterfly->base(preCapacity, beforeOutOfLineCapacity);
         void* startOfPropertyStorageSlots = reinterpret_cast<EncodedJSValue*>(base) + preCapacity;
-        memset(startOfPropertyStorageSlots, 0, (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
+        gcSafeZeroMemory(static_cast<JSValue*>(startOfPropertyStorageSlots), (beforeOutOfLineCapacity - outOfLineSize()) * sizeof(EncodedJSValue));
         checkOffsetConsistency();
     }