delta/qt5/qtwebkit.git/Source/JavaScriptCore/heap, branch dev code.qt.io: qt/qtwebkit.git Imported QtWebKit TP3 (git b57bc6801f1876c3220d5a4bfea33d620d477443) 2017-02-02T12:30:55+00:00 Konstantin Tokarev annulen@yandex.ru 2016-08-25T16:20:41+00:00 6882a04fb36642862b11efe514251d32070c3d65 Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f Reviewed-by: Konstantin Tokarev <annulen@yandex.ru> 
Change-Id: I3b1d8a2808782c9f34d50240000e20cb38d3680f
Reviewed-by: Konstantin Tokarev <annulen@yandex.ru>
<https://webkit.org/b/120079> Flattening a dictionary can cause CopiedSpace corruption 2014-09-25T16:15:52+00:00 Mark Hahnenberg mhahnenberg@apple.com 2014-09-25T09:46:15+00:00 3a51e3ee766490fe6f9ab9511d19e16f75e07db8 Reviewed by Oliver Hunt. When we flatten an object in dictionary mode, we compact its properties. If the object had out-of-line storage in the form of a Butterfly prior to this compaction, and after compaction its properties fit inline, the object's Structure "forgets" that the object has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes with bytes = 0, which causes all sorts of badness in CopiedSpace. Instead, after we flatten a dictionary, if properties fit inline we should clear the Butterfly pointer so that the GC doesn't get confused later. This patch does this clearing, and it also adds JSObject::checkStructure, which overrides JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check that the number of bytes reported to SlotVisitor::copyLater is non-zero. * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::notifyPresenceOfIndexedAccessors): (JSC::JSObject::convertUndecidedToInt32): (JSC::JSObject::convertUndecidedToDouble): (JSC::JSObject::convertUndecidedToContiguous): (JSC::JSObject::convertInt32ToDouble): (JSC::JSObject::convertInt32ToContiguous): (JSC::JSObject::genericConvertDoubleToContiguous): (JSC::JSObject::switchToSlowPutArrayStorage): (JSC::JSObject::setPrototype): (JSC::JSObject::putDirectAccessor): (JSC::JSObject::seal): (JSC::JSObject::freeze): (JSC::JSObject::preventExtensions): (JSC::JSObject::reifyStaticFunctionsForDelete): (JSC::JSObject::removeDirect): * runtime/JSObject.h: (JSC::JSObject::setButterfly): (JSC::JSObject::putDirectInternal): (JSC::JSObject::setStructure): (JSC::JSObject::setStructureAndReallocateStorageIfNecessary): * runtime/Structure.cpp: (JSC::Structure::flattenDictionaryStructure): Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
Reviewed by Oliver Hunt.

When we flatten an object in dictionary mode, we compact its properties. If the object
had out-of-line storage in the form of a Butterfly prior to this compaction, and after
compaction its properties fit inline, the object's Structure "forgets" that the object
has a non-zero Butterfly pointer. During GC, we check the Butterfly and reportLiveBytes
with bytes = 0, which causes all sorts of badness in CopiedSpace.

Instead, after we flatten a dictionary, if properties fit inline we should clear the
Butterfly pointer so that the GC doesn't get confused later.

This patch does this clearing, and it also adds JSObject::checkStructure, which overrides
JSCell::checkStructure to add an ASSERT that makes sure that the Structure being assigned
agrees with the whether or not the object has a Butterfly. Also added an ASSERT to check
that the number of bytes reported to SlotVisitor::copyLater is non-zero.

* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::copyLater):
* runtime/JSObject.cpp:
(JSC::JSObject::notifyPresenceOfIndexedAccessors):
(JSC::JSObject::convertUndecidedToInt32):
(JSC::JSObject::convertUndecidedToDouble):
(JSC::JSObject::convertUndecidedToContiguous):
(JSC::JSObject::convertInt32ToDouble):
(JSC::JSObject::convertInt32ToContiguous):
(JSC::JSObject::genericConvertDoubleToContiguous):
(JSC::JSObject::switchToSlowPutArrayStorage):
(JSC::JSObject::setPrototype):
(JSC::JSObject::putDirectAccessor):
(JSC::JSObject::seal):
(JSC::JSObject::freeze):
(JSC::JSObject::preventExtensions):
(JSC::JSObject::reifyStaticFunctionsForDelete):
(JSC::JSObject::removeDirect):
* runtime/JSObject.h:
(JSC::JSObject::setButterfly):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::setStructure):
(JSC::JSObject::setStructureAndReallocateStorageIfNecessary):
* runtime/Structure.cpp:
(JSC::Structure::flattenDictionaryStructure):

Change-Id: Idfd8c22555f4373c1104316ff1ee28f5f84ef083
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@154366 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Correct GC length unit and prevent division by 0 in showObjectStatistics. 2014-08-28T15:48:36+00:00 Julien Brianceau jbriance@cisco.com 2014-08-28T14:32:15+00:00 d61a03cf5951a6ee9e890783039e68c8598714e6 https://bugs.webkit.org/show_bug.cgi?id=136340 Reviewed by Mark Hahnenberg. Change-Id: I20483be1225d674160bbdab183bc52121fe4411c git-svn-id: http://svn.webkit.org/repository/webkit/trunk@173062 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Michael Bruning <michael.bruning@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=136340

Reviewed by Mark Hahnenberg.

Change-Id: I20483be1225d674160bbdab183bc52121fe4411c
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@173062 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Michael Bruning <michael.bruning@digia.com>
Fix undefined reference linker errors with MinGW 2013-10-16T11:40:47+00:00 Kai Koehne kai.koehne@digia.com 2013-10-15T14:48:14+00:00 332de746f32edbb3dfc1cd4b39d8c815fd47b28e Make sure the inline methods are defined whereever referenced. This fixes 'undefined reference' errors when linking with MinGW-builds 4.8.2 32 bit posix dwarf rev2. Task-number: QTBUG-34083 Change-Id: Iadc7300634780741be9d97bc889290cd113181e1 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> 
Make sure the inline methods are defined whereever referenced. This fixes
'undefined reference' errors when linking with MinGW-builds 4.8.2 32 bit
posix dwarf rev2.

Task-number: QTBUG-34083
Change-Id: Iadc7300634780741be9d97bc889290cd113181e1
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
Import Qt5x2 branch of QtWebkit for Qt 5.2 2013-09-19T18:50:05+00:00 Allan Sandfeld Jensen allan.jensen@digia.com 2013-09-13T10:51:20+00:00 d441d6f39bb846989d95bcf5caf387b42414718d Importing a new snapshot of webkit. Change-Id: I2d01ad12cdc8af8cb015387641120a9d7ea5f10c Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com> 
Importing a new snapshot of webkit.

Change-Id: I2d01ad12cdc8af8cb015387641120a9d7ea5f10c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@digia.com>
WeakSet::removeAllocator leaks WeakBlocks 2013-04-04T12:56:31+00:00 Mark Hahnenberg mhahnenberg@apple.com 2013-04-04T12:31:14+00:00 13ed0e19388202143b5a794754de1d0826f447a0 https://bugs.webkit.org/show_bug.cgi?id=110228 Reviewed by Geoffrey Garen. We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy. * heap/WeakSet.cpp: (JSC::WeakSet::removeAllocator): Change-Id: Iba6cff23e3d8b7a544a825dd1e435cf986b0d35f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143351 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=110228

Reviewed by Geoffrey Garen.

We need to return the WeakBlock to the BlockAllocator after the call to WeakBlock::destroy.

* heap/WeakSet.cpp:
(JSC::WeakSet::removeAllocator):

Change-Id: Iba6cff23e3d8b7a544a825dd1e435cf986b0d35f
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@143351 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
r134080 causes heap problem on linux systems where PAGESIZE != 4096 2013-04-04T12:56:09+00:00 Balazs Kilvady kilvadyb@homejinni.com 2013-04-04T11:51:09+00:00 6ab46a19bac261f42b664c62f8c2477b294b86ea https://bugs.webkit.org/show_bug.cgi?id=102828 Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-18 Reviewed by Mark Hahnenberg. Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * heap/MarkStack.cpp: (JSC): (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::donateSomeCellsTo): (JSC::MarkStackArray::stealSomeCellsFrom): * heap/MarkStack.h: (JSC::MarkStackSegment::data): (CapacityFromSize): (MarkStackArray): * heap/MarkStackInlines.h: (JSC::MarkStackArray::setTopForFullSegment): (JSC::MarkStackArray::append): (JSC::MarkStackArray::isEmpty): (JSC::MarkStackArray::size): * runtime/Options.h: (JSC): Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=102828

Patch by Balazs Kilvady <kilvadyb@homejinni.com> on 2013-01-18
Reviewed by Mark Hahnenberg.

Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray.

* JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def:
* heap/MarkStack.cpp:
(JSC):
(JSC::MarkStackArray::MarkStackArray):
(JSC::MarkStackArray::expand):
(JSC::MarkStackArray::donateSomeCellsTo):
(JSC::MarkStackArray::stealSomeCellsFrom):
* heap/MarkStack.h:
(JSC::MarkStackSegment::data):
(CapacityFromSize):
(MarkStackArray):
* heap/MarkStackInlines.h:
(JSC::MarkStackArray::setTopForFullSegment):
(JSC::MarkStackArray::append):
(JSC::MarkStackArray::isEmpty):
(JSC::MarkStackArray::size):
* runtime/Options.h:
(JSC):

Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
[Qt] Fix the JSC build on Mac 2013-03-18T16:25:46+00:00 Jocelyn Turcotte jocelyn.turcotte@digia.com 2013-03-18T15:15:13+00:00 d9c4f8fababcfe370881b4402994cbcd6fa05504 Unreviewed, build fix. * heap/HeapTimer.h: Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case. Change-Id: Ibf9d96a3492e47dc33e131322de16e52de00e5e5 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141097 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
Unreviewed, build fix.

* heap/HeapTimer.h:
Qt on Mac has USE(CF) true, and should use the CF HeapTimer in that case.

Change-Id: Ibf9d96a3492e47dc33e131322de16e52de00e5e5
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141097 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
[Qt] Implement IncrementalSweeper and HeapTimer 2013-03-18T16:25:46+00:00 Allan Sandfeld Jensen allan.jensen@digia.com 2013-03-14T13:10:22+00:00 597984021ca00fd98a0dfe2effd742c6e7bd4190 https://bugs.webkit.org/show_bug.cgi?id=103996 Reviewed by Simon Hausmann. Implements the incremental sweeping garbage collection for the Qt platform. * heap/HeapTimer.cpp: (JSC::HeapTimer::HeapTimer): (JSC::HeapTimer::~HeapTimer): (JSC::HeapTimer::timerEvent): (JSC::HeapTimer::synchronize): (JSC::HeapTimer::invalidate): (JSC::HeapTimer::didStartVMShutdown): * heap/HeapTimer.h: (HeapTimer): * heap/IncrementalSweeper.cpp: (JSC::IncrementalSweeper::IncrementalSweeper): (JSC::IncrementalSweeper::scheduleTimer): * heap/IncrementalSweeper.h: (IncrementalSweeper): Change-Id: I47b874c050e08519cf5e3ed5a98a98ac8785971f git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141089 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=103996

Reviewed by Simon Hausmann.

Implements the incremental sweeping garbage collection for the Qt platform.

* heap/HeapTimer.cpp:
(JSC::HeapTimer::HeapTimer):
(JSC::HeapTimer::~HeapTimer):
(JSC::HeapTimer::timerEvent):
(JSC::HeapTimer::synchronize):
(JSC::HeapTimer::invalidate):
(JSC::HeapTimer::didStartVMShutdown):
* heap/HeapTimer.h:
(HeapTimer):
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::IncrementalSweeper):
(JSC::IncrementalSweeper::scheduleTimer):
* heap/IncrementalSweeper.h:
(IncrementalSweeper):

Change-Id: I47b874c050e08519cf5e3ed5a98a98ac8785971f
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141089 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
Restrictions on oversize CopiedBlock allocations should be relaxed 2013-02-06T13:45:44+00:00 Mark Hahnenberg mhahnenberg@apple.com 2013-02-04T13:21:12+00:00 90c58273524a6eb69bdbfe35023e63924c54a734 https://bugs.webkit.org/show_bug.cgi?id=105339 Reviewed by Filip Pizlo. Currently the DFG has a single branch in the inline allocation path for property/array storage where it checks to see if the number of bytes requested will fit in the current block. This does not match what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when the collector tries to perform some operation on a CopiedBlock. To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and we should figure out if a block is oversize by some other method than just whatever the JSObject says it is. One way we could record this info Region of the block, since we allocate a one-off Region for oversize blocks. * heap/BlockAllocator.h: (JSC::Region::isCustomSize): (Region): (JSC::Region::createCustomSize): (JSC::Region::Region): (JSC::BlockAllocator::deallocateCustomSize): * heap/CopiedBlock.h: (CopiedBlock): (JSC::CopiedBlock::isOversize): (JSC): * heap/CopiedSpace.cpp: (JSC::CopiedSpace::tryAllocateOversize): (JSC::CopiedSpace::tryReallocate): (JSC::CopiedSpace::tryReallocateOversize): * heap/CopiedSpace.h: (CopiedSpace): * heap/CopiedSpaceInlines.h: (JSC::CopiedSpace::contains): (JSC::CopiedSpace::tryAllocate): (JSC): * heap/CopyVisitor.h: (CopyVisitor): * heap/CopyVisitorInlines.h: (JSC::CopyVisitor::checkIfShouldCopy): (JSC::CopyVisitor::didCopy): * heap/SlotVisitorInlines.h: (JSC::SlotVisitor::copyLater): * runtime/JSObject.cpp: (JSC::JSObject::copyButterfly): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138067 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Icebcfe83d82ace7c3e1db6a979306f604459c5ae Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com> 
https://bugs.webkit.org/show_bug.cgi?id=105339

Reviewed by Filip Pizlo.

Currently the DFG has a single branch in the inline allocation path for property/array storage where
it checks to see if the number of bytes requested will fit in the current block. This does not match
what the C++ allocation path does; it checks if the requested number of bytes is oversize, and then
if it's not, it tries to fit it in the current block. The garbage collector assumes that ALL allocations
that are greater than 16KB are in oversize blocks. Therefore, this mismatch can lead to crashes when
the collector tries to perform some operation on a CopiedBlock.

To avoid adding an extra branch to the inline allocation path in the JIT, we should make it so that
oversize blocks are allocated on the same alignment boundaries so that there is a single mask to find
the block header of any CopiedBlock (rather than two, one for normal and one for oversize blocks), and
we should figure out if a block is oversize by some other method than just whatever the JSObject says
it is. One way we could record this info Region of the block, since we allocate a one-off Region for
oversize blocks.

* heap/BlockAllocator.h:
(JSC::Region::isCustomSize):
(Region):
(JSC::Region::createCustomSize):
(JSC::Region::Region):
(JSC::BlockAllocator::deallocateCustomSize):
* heap/CopiedBlock.h:
(CopiedBlock):
(JSC::CopiedBlock::isOversize):
(JSC):
* heap/CopiedSpace.cpp:
(JSC::CopiedSpace::tryAllocateOversize):
(JSC::CopiedSpace::tryReallocate):
(JSC::CopiedSpace::tryReallocateOversize):
* heap/CopiedSpace.h:
(CopiedSpace):
* heap/CopiedSpaceInlines.h:
(JSC::CopiedSpace::contains):
(JSC::CopiedSpace::tryAllocate):
(JSC):
* heap/CopyVisitor.h:
(CopyVisitor):
* heap/CopyVisitorInlines.h:
(JSC::CopyVisitor::checkIfShouldCopy):
(JSC::CopyVisitor::didCopy):
* heap/SlotVisitorInlines.h:
(JSC::SlotVisitor::copyLater):
* runtime/JSObject.cpp:
(JSC::JSObject::copyButterfly):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@138067 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: Icebcfe83d82ace7c3e1db6a979306f604459c5ae
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>