source: webkit/trunk/JavaScriptCore/JavaScriptCore.exp@ 20019

Last change on this file since 20019 was 20004, checked in by ggaren, 18 years ago

JavaScriptCore:

Reviewed by Maciej Stachowiak.


Fixed all known crashers exposed by run-webkit-tests --threaded. This covers:

<rdar://problem/4565394> | http://bugs.webkit.org/show_bug.cgi?id=12585

PAC file: after closing a window that contains macworld.com, new window
crashes (KJS::PropertyMap::mark()) (12585)

<rdar://problem/4571215> | http://bugs.webkit.org/show_bug.cgi?id=9211

PAC file: Crash occurs when clicking on the navigation tabs at http://www.businessweek.com/ (9211)

<rdar://problem/4557926>

PAC file: Crash occurs when attempting to view image in slideshow mode
at http://d.smugmug.com/gallery/581716 ( KJS::IfNode::execute (KJS::
ExecState*) + 312) if you use a PAC file

(1) Added some missing JSLocks, along with related ASSERTs.


(2) Fully implemented support for objects that can only be garbage collected
on the main thread. So far, only WebCore uses this. We can add it to API
later if we learn that it's needed.


The implementation uses a "main thread only" flag inside each object. When
collecting on a secondary thread, the Collector does an extra pass through
the heap to mark all flagged objects before sweeping. This solution makes
the common case -- flag lots of objects, but never collect on a secondary
thread -- very fast, even though the uncommon case of garbage collecting
on a secondary thread isn't as fast as it could be. I left some notes
about how to speed it up, if we ever care.


For posterity, here are some things I learned about GC while investigating:


  • Each collect must either mark or delete every heap object. "Zombie" objects, which are neither marked nor deleted, raise these issues:
  • On the next pass, the conservative marking algorithm might mark a zombie, causing it to mark freed objects.
  • The client might try to use a zombie, which would seem live because its finalizer had not yet run.
  • A collect on the main thread is free to delete any object. Presumably, objects allocated on secondary threads have thread-safe finalizers.
  • A collect on a secondary thread must not delete thread-unsafe objects.
  • The mark function must be thread-safe.


Line by line comments:

  • API/JSObjectRef.h: Added comment specifying that the finalize callback may run on any thread.
  • bindings/npruntime.cpp: (_NPN_GetStringIdentifier): Added JSLock.
  • bindings/objc/objc_instance.h:
  • bindings/objc/objc_instance.mm: (ObjcInstance::~ObjcInstance): Use an autorelease pool. The other callers to CFRelease needed one, too, but they were dead code, so I removed them instead. (This fixes a leak seen while running run-webkit-tests --threaded, although I don't think it's specifically a threading issue.)


  • kjs/collector.cpp: (KJS::Collector::collectOnMainThreadOnly): New function. Tells the collector to collect a value only if it's collecting on the main thread. (KJS::Collector::markMainThreadOnlyObjects): New function. Scans the heap for "main thread only" objects and marks them.
  • kjs/date_object.cpp: (KJS::DateObjectImp::DateObjectImp): To make the new ASSERTs happy, allocate our globals on the heap, avoiding a seemingly unsafe destructor call at program exit time.
  • kjs/function_object.cpp: (FunctionPrototype::FunctionPrototype): ditto
  • kjs/interpreter.cpp: (KJS::Interpreter::mark): Removed boolean parameter, which was an incomplete and arguably hackish way to implement markMainThreadOnlyObjects() inside WebCore.
  • kjs/interpreter.h:
  • kjs/identifier.cpp: (KJS::identifierTable): Added some ASSERTs to check for thread safety problems.
  • kjs/list.cpp: Added some ASSERTs to check for thread safety problems. (KJS::allocateListImp): (KJS::List::release): (KJS::List::append): (KJS::List::empty): Make the new ASSERTs happy.
  • kjs/object.h: (KJS::JSObject::JSObject): "m_destructorIsThreadSafe" => "m_collectOnMainThreadOnly". I removed the constructor parameter because m_collectOnMainThreadOnly, like m_marked, is a Collector bit, so only the Collector should set or get it.
  • kjs/object_object.cpp: (ObjectPrototype::ObjectPrototype): Make the ASSERTs happy.
  • kjs/regexp_object.cpp: (RegExpPrototype::RegExpPrototype): ditto
  • kjs/ustring.cpp: Added some ASSERTs to check for thread safety problems. (KJS::UCharReference::ref): (KJS::UString::Rep::createCopying): (KJS::UString::Rep::create): (KJS::UString::Rep::destroy): (KJS::UString::null): Make the new ASSERTs happy.
  • kjs/ustring.h: (KJS::UString::Rep::ref): Added some ASSERTs to check for thread safety problems. (KJS::UString::Rep::deref):
  • kjs/value.h: (KJS::JSCell::JSCell):

JavaScriptGlue:

Reviewed by Maciej Stachowiak.

Fixed all known crashers exposed by run-webkit-tests --threaded while using
a PAC file (for maximum carnage). See JavaScriptCore ChangeLog for
more details.

  • JSBase.cpp: (JSBase::Release): Lock when deleting, because we may be deleting an object (like a JSRun) that holds thread-unsafe data.
  • JSUtils.cpp: (CFStringToUString): Don't lock, because our caller locks. Also, locking inside a function that returns thread-unsafe data by copy will only mask threading problems.
  • JavaScriptGlue.cpp: (JSRunEvaluate): Added missing JSLock. (JSRunCheckSyntax): Converted to JSLock.
  • JavaScriptGlue.xcodeproj/project.pbxproj:

WebCore:

Reviewed by Maciej Stachowiak.

Fixed all known crashers exposed by run-webkit-tests --threaded [*]. See
JavaScriptCore ChangeLog for more details.

  • bindings/js/kjs_binding.cpp: (KJS::domNodesPerDocument): Added thread safety ASSERT. (KJS::ScriptInterpreter::mark): Removed obsolete logic for marking unsafe objects when collecting on a secondary thread. The Collector takes care of this now.
  • bindings/js/kjs_binding.h: (KJS::DOMObject::DOMObject): Used new API for specifying that WebCore objects should be garbage collected on the main thread only.
  • bindings/js/kjs_window.cpp: (KJS::ScheduledAction::execute): Moved JSLock to cover implementedsCall() call, which, for some subclasses, ends up allocating garbage collected objects. (This fix was speculative. I didn't actually see a crash from this.) (KJS::Window::timerFired): Added JSLock around ScheduleAction destruction, since it destroys a KJS::List.
  • bindings/objc/WebScriptObject.mm: (-[WebScriptObject setException:]): Added JSLock. (This fix was speculative. I didn't actually see a crash from this.)
  • bridge/mac/WebCoreScriptDebugger.mm: (-[WebCoreScriptCallFrame evaluateWebScript:]): Added JSLock. (This fix was speculative. I didn't actually see a crash from this.)
  • dom/Document.cpp: (WebCore::Document::~Document): Added JSLock around modification to domNodesPerDocument(), which can be accessed concurrently during garbage collection.
  • dom/Node.cpp: (WebCore::Node::setDocument): ditto.


[*] fast/js/toString-stack-overflow.html is an exception. --threaded mode
crashes this test because it causes the garbage collector to run frequently,
and this test crashes if you happen to garbage collect while it's running.
This is a known issue with stack overflow during the mark phase. It's
not related to threading.
File size: 10.0 KB
Line 
1_JSCheckScriptSyntax
2_JSClassCreate
3_JSClassRelease
4_JSClassRetain
5_JSContextGetGlobalObject
6_JSEvaluateScript
7_JSGarbageCollect
8_JSGlobalContextCreate
9_JSGlobalContextRelease
10_JSGlobalContextRetain
11_JSObjectCallAsConstructor
12_JSObjectCallAsFunction
13_JSObjectCopyPropertyNames
14_JSObjectDeleteProperty
15_JSObjectGetPrivate
16_JSObjectGetProperty
17_JSObjectGetPropertyAtIndex
18_JSObjectGetPrototype
19_JSObjectHasProperty
20_JSObjectIsConstructor
21_JSObjectIsFunction
22_JSObjectMake
23_JSObjectMakeConstructor
24_JSObjectMakeFunction
25_JSObjectMakeFunction
26_JSObjectMakeFunctionWithCallback
27_JSObjectSetPrivate
28_JSObjectSetProperty
29_JSObjectSetPropertyAtIndex
30_JSObjectSetPrototype
31_JSPropertyNameAccumulatorAddName
32_JSPropertyNameArrayGetCount
33_JSPropertyNameArrayGetNameAtIndex
34_JSPropertyNameArrayRelease
35_JSPropertyNameArrayRetain
36_JSStringCopyCFString
37_JSStringCreateWithCFString
38_JSStringCreateWithCharacters
39_JSStringCreateWithUTF8CString
40_JSStringGetCharactersPtr
41_JSStringGetLength
42_JSStringGetMaximumUTF8CStringSize
43_JSStringGetUTF8CString
44_JSStringIsEqual
45_JSStringIsEqualToUTF8CString
46_JSStringRelease
47_JSStringRetain
48_JSValueGetType
49_JSValueIsBoolean
50_JSValueIsEqual
51_JSValueIsInstanceOfConstructor
52_JSValueIsNull
53_JSValueIsNumber
54_JSValueIsObject
55_JSValueIsObjectOfClass
56_JSValueIsStrictEqual
57_JSValueIsString
58_JSValueIsUndefined
59_JSValueMakeBoolean
60_JSValueMakeNull
61_JSValueMakeNumber
62_JSValueMakeString
63_JSValueMakeUndefined
64_JSValueProtect
65_JSValueToBoolean
66_JSValueToNumber
67_JSValueToObject
68_JSValueToStringCopy
69_JSValueUnprotect
70_KJS_JSCreateNativeJSObject
71_KJS_JSObject_JSFinalize
72_KJS_JSObject_JSObjectCall
73_KJS_JSObject_JSObjectEval
74_KJS_JSObject_JSObjectGetMember
75_KJS_JSObject_JSObjectGetSlot
76_KJS_JSObject_JSObjectRemoveMember
77_KJS_JSObject_JSObjectSetMember
78_KJS_JSObject_JSObjectSetSlot
79_KJS_JSObject_JSObjectToString
80_WTFLog
81_WTFReportArgumentAssertionFailure
82_WTFReportAssertionFailure
83_WTFReportAssertionFailureWithMessage
84_WTFReportError
85_WTFReportFatalError
86__NPN_CreateObject
87__NPN_DeallocateObject
88__NPN_Evaluate
89__NPN_GetIntIdentifier
90__NPN_GetProperty
91__NPN_GetStringIdentifier
92__NPN_GetStringIdentifiers
93__NPN_IdentifierIsString
94__NPN_Invoke
95__NPN_InvokeDefault
96__NPN_ReleaseObject
97__NPN_ReleaseVariantValue
98__NPN_RemoveProperty
99__NPN_RetainObject
100__NPN_SetException
101__NPN_SetProperty
102__NPN_UTF8FromIdentifier
103__Z23_NPN_CreateScriptObjectP4_NPPPN3KJS8JSObjectEN3WTF10PassRefPtrINS1_8Bindings10RootObjectEEES8_
104__Z25_NPN_CreateNoScriptObjectv
105__ZN3KJS10Identifier3addEPKNS_5UCharEi
106__ZN3KJS10Identifier3addEPKc
107__ZN3KJS10Identifier3addEPNS_7UString3RepE
108__ZN3KJS10Identifier5equalEPKNS_7UString3RepEPKc
109__ZN3KJS10throwErrorEPNS_9ExecStateENS_9ErrorTypeE
110__ZN3KJS10throwErrorEPNS_9ExecStateENS_9ErrorTypeEPKc
111__ZN3KJS11Interpreter10globalExecEv
112__ZN3KJS11Interpreter11checkSyntaxERKNS_7UStringEiPKNS_5UCharEi
113__ZN3KJS11Interpreter11checkSyntaxERKNS_7UStringEiS3_
114__ZN3KJS11Interpreter15restoreBuiltinsERKNS_13SavedBuiltinsE
115__ZN3KJS11Interpreter16initGlobalObjectEv
116__ZN3KJS11Interpreter16stopTimeoutCheckEv
117__ZN3KJS11Interpreter17startTimeoutCheckEv
118__ZN3KJS11Interpreter21shouldPrintExceptionsEv
119__ZN3KJS11Interpreter24setShouldPrintExceptionsEb
120__ZN3KJS11Interpreter4markEv
121__ZN3KJS11Interpreter6s_hookE
122__ZN3KJS11Interpreter8evaluateERKNS_7UStringEiPKNS_5UCharEiPNS_7JSValueE
123__ZN3KJS11Interpreter8evaluateERKNS_7UStringEiS3_PNS_7JSValueE
124__ZN3KJS11InterpreterC1EPNS_8JSObjectE
125__ZN3KJS11InterpreterC1Ev
126__ZN3KJS11InterpreterC2EPNS_8JSObjectE
127__ZN3KJS11InterpreterD1Ev
128__ZN3KJS11InterpreterD2Ev
129__ZN3KJS11JSImmediate4typeEPKNS_7JSValueE
130__ZN3KJS11JSImmediate8toObjectEPKNS_7JSValueEPNS_9ExecStateE
131__ZN3KJS11JSImmediate8toStringEPKNS_7JSValueE
132__ZN3KJS11PropertyMap11getLocationERKNS_10IdentifierE
133__ZN3KJS11PropertyMap5clearEv
134__ZN3KJS11PropertyMap7restoreERKNS_15SavedPropertiesE
135__ZN3KJS11PropertyMapD1Ev
136__ZN3KJS12DateInstance4infoE
137__ZN3KJS12PropertySlot15undefinedGetterEPNS_9ExecStateEPNS_8JSObjectERKNS_10IdentifierERKS0_
138__ZN3KJS12jsNumberCellEd
139__ZN3KJS13ArrayInstance4infoE
140__ZN3KJS13SavedBuiltinsC1Ev
141__ZN3KJS13SavedBuiltinsD1Ev
142__ZN3KJS14StringInstance14deletePropertyEPNS_9ExecStateERKNS_10IdentifierE
143__ZN3KJS14StringInstance16getPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayE
144__ZN3KJS14StringInstance18getOwnPropertySlotEPNS_9ExecStateERKNS_10IdentifierERNS_12PropertySlotE
145__ZN3KJS14StringInstance3putEPNS_9ExecStateERKNS_10IdentifierEPNS_7JSValueEi
146__ZN3KJS14StringInstance4infoE
147__ZN3KJS14StringInstanceC1EPNS_8JSObjectERKNS_7UStringE
148__ZN3KJS14StringInstanceC2EPNS_8JSObjectERKNS_7UStringE
149__ZN3KJS15JSWrapperObject4markEv
150__ZN3KJS15SavedPropertiesC1Ev
151__ZN3KJS15SavedPropertiesD1Ev
152__ZN3KJS16RuntimeObjectImp4infoE
153__ZN3KJS16RuntimeObjectImpC1EPNS_8Bindings8InstanceE
154__ZN3KJS17PropertyNameArray3addERKNS_10IdentifierE
155__ZN3KJS18lengthPropertyNameE
156__ZN3KJS19InternalFunctionImp4infoE
157__ZN3KJS19InternalFunctionImpC2EPNS_17FunctionPrototypeERKNS_10IdentifierE
158__ZN3KJS19messagePropertyNameE
159__ZN3KJS21prototypePropertyNameE
160__ZN3KJS4List6appendEPNS_7JSValueE
161__ZN3KJS4List7releaseEv
162__ZN3KJS4ListC1Ev
163__ZN3KJS6JSCell9getObjectEv
164__ZN3KJS6JSCellnwEm
165__ZN3KJS6JSLock12DropAllLocksC1Ev
166__ZN3KJS6JSLock12DropAllLocksD1Ev
167__ZN3KJS6JSLock4lockEv
168__ZN3KJS6JSLock6unlockEv
169__ZN3KJS6JSLock9lockCountEv
170__ZN3KJS6Lookup9findEntryEPKNS_9HashTableERKNS_10IdentifierE
171__ZN3KJS6Parser11prettyPrintERKNS_7UStringEPiPS1_
172__ZN3KJS7CStringD1Ev
173__ZN3KJS7UString3Rep4nullE
174__ZN3KJS7UString3Rep7destroyEv
175__ZN3KJS7UString6appendERKS0_
176__ZN3KJS7UStringC1EPKNS_5UCharEi
177__ZN3KJS7UStringC1EPKc
178__ZN3KJS7UStringC1ERKS0_S2_
179__ZN3KJS7UStringaSEPKc
180__ZN3KJS8Bindings10RootObject10invalidateEv
181__ZN3KJS8Bindings10RootObject11gcUnprotectEPNS_8JSObjectE
182__ZN3KJS8Bindings10RootObject17_createRootObjectE
183__ZN3KJS8Bindings10RootObject19setCreateRootObjectEPFN3WTF10PassRefPtrIS1_EEPvE
184__ZN3KJS8Bindings10RootObject6createEPKvN3WTF10PassRefPtrINS_11InterpreterEEE
185__ZN3KJS8Bindings10RootObject9gcProtectEPNS_8JSObjectE
186__ZN3KJS8Bindings10RootObjectD1Ev
187__ZN3KJS8Bindings10throwErrorEPNS_9ExecStateENS_9ErrorTypeEP8NSString
188__ZN3KJS8Bindings23convertObjcValueToValueEPNS_9ExecStateEPvNS0_13ObjcValueTypeE
189__ZN3KJS8Bindings23convertValueToObjcValueEPNS_9ExecStateEPNS_7JSValueENS0_13ObjcValueTypeE
190__ZN3KJS8Bindings8Instance18didExecuteFunctionEv
191__ZN3KJS8Bindings8Instance21setDidExecuteFunctionEPFvPNS_9ExecStateEPNS_8JSObjectEE
192__ZN3KJS8Bindings8Instance32createBindingForLanguageInstanceENS1_15BindingLanguageEPvN3WTF10PassRefPtrINS0_10RootObjectEEE
193__ZN3KJS8Debugger12sourceUnusedEPNS_9ExecStateEi
194__ZN3KJS8Debugger6attachEPNS_11InterpreterE
195__ZN3KJS8Debugger9exceptionEPNS_9ExecStateEiiPNS_7JSValueE
196__ZN3KJS8DebuggerC2Ev
197__ZN3KJS8DebuggerD2Ev
198__ZN3KJS8JSObject11hasInstanceEPNS_9ExecStateEPNS_7JSValueE
199__ZN3KJS8JSObject14callAsFunctionEPNS_9ExecStateEPS0_RKNS_4ListE
200__ZN3KJS8JSObject14deletePropertyEPNS_9ExecStateERKNS_10IdentifierE
201__ZN3KJS8JSObject14deletePropertyEPNS_9ExecStateEj
202__ZN3KJS8JSObject16getPropertyNamesEPNS_9ExecStateERNS_17PropertyNameArrayE
203__ZN3KJS8JSObject18getOwnPropertySlotEPNS_9ExecStateEjRNS_12PropertySlotE
204__ZN3KJS8JSObject22fillGetterPropertySlotERNS_12PropertySlotEPPNS_7JSValueE
205__ZN3KJS8JSObject3putEPNS_9ExecStateERKNS_10IdentifierEPNS_7JSValueEi
206__ZN3KJS8JSObject3putEPNS_9ExecStateEjPNS_7JSValueEi
207__ZN3KJS8JSObject4callEPNS_9ExecStateEPS0_RKNS_4ListE
208__ZN3KJS8JSObject4markEv
209__ZN3KJS8JSObject9constructEPNS_9ExecStateERKNS_4ListE
210__ZN3KJS8JSObject9constructEPNS_9ExecStateERKNS_4ListERKNS_10IdentifierERKNS_7UStringEi
211__ZN3KJS8JSObject9putDirectERKNS_10IdentifierEPNS_7JSValueEi
212__ZN3KJS8JSObject9putDirectERKNS_10IdentifierEii
213__ZN3KJS8jsStringEPKc
214__ZN3KJS8jsStringERKNS_7UStringE
215__ZN3KJS9Collector15numInterpretersEv
216__ZN3KJS9Collector19numProtectedObjectsEv
217__ZN3KJS9Collector20rootObjectTypeCountsEv
218__ZN3KJS9Collector23collectOnMainThreadOnlyEPNS_7JSValueE
219__ZN3KJS9Collector4sizeEv
220__ZN3KJS9Collector7collectEv
221__ZN3KJS9Collector7protectEPNS_7JSValueE
222__ZN3KJS9Collector9unprotectEPNS_7JSValueE
223__ZN3KJSeqERKNS_7UStringEPKc
224__ZN3WTF10fastCallocEmm
225__ZN3WTF10fastMallocEm
226__ZN3WTF11fastReallocEPvm
227__ZN3WTF8fastFreeEPv
228__ZNK3KJS11Interpreter12builtinArrayEv
229__ZNK3KJS11Interpreter12globalObjectEv
230__ZNK3KJS11Interpreter12saveBuiltinsERNS_13SavedBuiltinsE
231__ZNK3KJS11Interpreter15builtinFunctionEv
232__ZNK3KJS11Interpreter22builtinObjectPrototypeEv
233__ZNK3KJS11Interpreter22builtinStringPrototypeEv
234__ZNK3KJS11Interpreter24builtinFunctionPrototypeEv
235__ZNK3KJS11PropertyMap3getERKNS_10IdentifierE
236__ZNK3KJS11PropertyMap4saveERNS_15SavedPropertiesE
237__ZNK3KJS12DateInstance7getTimeERdRi
238__ZNK3KJS13ArrayInstance7getItemEj
239__ZNK3KJS19InternalFunctionImp14implementsCallEv
240__ZNK3KJS19InternalFunctionImp21implementsHasInstanceEv
241__ZNK3KJS4List2atEi
242__ZNK3KJS4List8copyTailEv
243__ZNK3KJS6JSCell9getNumberERd
244__ZNK3KJS6JSCell9getNumberEv
245__ZNK3KJS6JSCell9getStringERNS_7UStringE
246__ZNK3KJS6JSCell9getStringEv
247__ZNK3KJS6JSCell9getUInt32ERj
248__ZNK3KJS7JSValue7toInt32EPNS_9ExecStateE
249__ZNK3KJS7JSValue7toInt32EPNS_9ExecStateERb
250__ZNK3KJS7JSValue8toUInt32EPNS_9ExecStateE
251__ZNK3KJS7JSValue8toUInt32EPNS_9ExecStateERb
252__ZNK3KJS7JSValue9toIntegerEPNS_9ExecStateE
253__ZNK3KJS7UString10UTF8StringEv
254__ZNK3KJS7UString14toStrictUInt32EPb
255__ZNK3KJS7UString5asciiEv
256__ZNK3KJS7UString6is8BitEv
257__ZNK3KJS7UString8toUInt32EPb
258__ZNK3KJS8Bindings10RootObject11interpreterEv
259__ZNK3KJS8JSObject11hasPropertyEPNS_9ExecStateERKNS_10IdentifierE
260__ZNK3KJS8JSObject12defaultValueEPNS_9ExecStateENS_6JSTypeE
261__ZNK3KJS8JSObject14implementsCallEv
262__ZNK3KJS8JSObject19implementsConstructEv
263__ZNK3KJS8JSObject21implementsHasInstanceEv
264__ZNK3KJS8JSObject3getEPNS_9ExecStateERKNS_10IdentifierE
265__ZNK3KJS8JSObject3getEPNS_9ExecStateEj
266__ZNK3KJS8JSObject4typeEv
267__ZNK3KJS8JSObject6canPutEPNS_9ExecStateERKNS_10IdentifierE
268__ZNK3KJS8JSObject8toNumberEPNS_9ExecStateE
269__ZNK3KJS8JSObject8toObjectEPNS_9ExecStateE
270__ZNK3KJS8JSObject8toStringEPNS_9ExecStateE
271__ZNK3KJS8JSObject9classInfoEv
272__ZNK3KJS8JSObject9classNameEv
273__ZNK3KJS8JSObject9toBooleanEPNS_9ExecStateE
274__ZNK3KJS9ExecState18lexicalInterpreterEv
275__ZTVN3KJS14StringInstanceE
276__ZTVN3KJS15JSWrapperObjectE
277__ZTVN3KJS19InternalFunctionImpE
278__ZTVN3KJS6JSCellE
279__ZTVN3KJS8JSObjectE
280_kJSClassDefinitionEmpty
281_kjs_pcre_compile
282_kjs_pcre_exec
283_kjs_pcre_free
284_kjs_pcre_free_substring
285_kjs_pcre_get_substring
286_kjs_strtod
Note: See TracBrowser for help on using the repository browser.