Context Navigation

← Previous Changeset
Next Changeset →

Changeset 254491 in webkit

Timestamp:

Jan 13, 2020 9:24:58 PM (4 years ago)

Author:

keith_miller@apple.com

Message:

scanSideState scans too much side state
https://bugs.webkit.org/show_bug.cgi?id=206166

Reviewed by Tadeu Zagallo.

JSTests:

stress/checkpoint-side-state-gc-tmps-overflow.js: Added.

(v8):

Source/JavaScriptCore:

The old code would would scan tmps + sizeof(tmps) but sizeof(tmps)
is not the length of the array. instead we should scan tmps +
maxNumCheckpointTmps.

interpreter/CheckpointOSRExitSideState.h:
runtime/VM.cpp:

(JSC::VM::scanSideState const):

Location:

trunk

Files:

: 1 added
: 4 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/checkpoint-side-state-gc-tmps-overflow.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/interpreter/CheckpointOSRExitSideState.h (modified) (1 diff)
Source/JavaScriptCore/runtime/VM.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r254480
+                      r254491
+-01-13  Keith Miller  <keith_miller@apple.com>
+        scanSideState scans too much side state
+        https://bugs.webkit.org/show_bug.cgi?id=206166
+        Reviewed by Tadeu Zagallo.
+        * stress/checkpoint-side-state-gc-tmps-overflow.js: Added.
+        (v8):
 -01-13  Saam Barati  <sbarati@apple.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r254480
+                      r254491
+-01-13  Keith Miller  <keith_miller@apple.com>
+        scanSideState scans too much side state
+        https://bugs.webkit.org/show_bug.cgi?id=206166
+        Reviewed by Tadeu Zagallo.
+        The old code would would scan tmps + sizeof(tmps) but sizeof(tmps)
+        is not the length of the array. instead we should scan tmps +
+        maxNumCheckpointTmps.
+        * interpreter/CheckpointOSRExitSideState.h:
+        * runtime/VM.cpp:
+        (JSC::VM::scanSideState const):
 -01-13  Saam Barati  <sbarati@apple.com>

trunk/Source/JavaScriptCore/interpreter/CheckpointOSRExitSideState.h

r254166	r254491
36	36
37	37	BytecodeIndex bytecodeIndex;
38		JSValue tmps[maxNumCheckpointTmps];
	38	JSValue tmps[maxNumCheckpointTmps] { };
39	39	};
40	40

trunk/Source/JavaScriptCore/runtime/VM.cpp

-                      r254464
+                      r254491
 void VM::scanSideState(ConservativeRoots& roots) const
+{
+    for (const auto& iter : m_checkpointSideState)
+        roots.add(iter.value->tmps, iter.value->tmps + sizeof(iter.value->tmps));
+    ASSERT(heap.mutatorState() != MutatorState::Running);
+    for (const auto& iter : m_checkpointSideState) {
+        static_assert(sizeof(iter.value->tmps) / sizeof(JSValue) == maxNumCheckpointTmps);
+        roots.add(iter.value->tmps, iter.value->tmps + maxNumCheckpointTmps);
+    }
+}
 #endif

Note: See TracChangeset for help on using the changeset viewer.