Ignore:
Timestamp:
Jan 2, 2014, 2:57:14 PM (12 years ago)
Author:
[email protected]
Message:

Storing new CopiedSpace memory into a JSObject should fire a write barrier
https://bugs.webkit.org/show_bug.cgi?id=126025

Reviewed by Filip Pizlo.

Technically this is creating a pointer between a (potentially) old generation object and a young
generation chunk of memory, thus there needs to be a barrier.

  • JavaScriptCore.xcodeproj/project.pbxproj:
  • dfg/DFGOperations.cpp:
  • heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It

acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to
fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery
collections that objects with new backing stores are visited, even if they are old generation objects.
(JSC::CopyWriteBarrier::CopyWriteBarrier):
(JSC::CopyWriteBarrier::operator!):
(JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
(JSC::CopyWriteBarrier::get):
(JSC::CopyWriteBarrier::operator*):
(JSC::CopyWriteBarrier::operator->):
(JSC::CopyWriteBarrier::set):
(JSC::CopyWriteBarrier::setWithoutWriteBarrier):
(JSC::CopyWriteBarrier::clear):

  • heap/Heap.h:
  • runtime/JSArray.cpp:

(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):

  • runtime/JSCell.h:

(JSC::JSCell::unvalidatedStructure):

  • runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):

  • runtime/JSObject.cpp:

(JSC::JSObject::copyButterfly):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::countElements):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):

  • runtime/JSObject.h:

(JSC::JSObject::butterfly):
(JSC::JSObject::setStructureAndButterfly):
(JSC::JSObject::setButterflyWithoutChangingStructure):
(JSC::JSObject::JSObject):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::putDirectWithoutTransition):

  • runtime/MapData.cpp:

(JSC::MapData::ensureSpaceForAppend):

  • runtime/Structure.cpp:

(JSC::Structure::materializePropertyMap):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSObject.cpp

    r161220 r161230  
    160160        }
    161161       
    162         m_butterfly = newButterfly;
     162        m_butterfly.setWithoutWriteBarrier(newButterfly);
    163163        visitor.didCopy(butterfly->base(preCapacity, propertyCapacity), capacityInBytes);
    164164    }
     
    284284    case ALL_INT32_INDEXING_TYPES:
    285285    case ALL_CONTIGUOUS_INDEXING_TYPES: {
    286         Butterfly* butterfly = thisObject->m_butterfly;
     286        Butterfly* butterfly = thisObject->butterfly();
    287287        if (i >= butterfly->vectorLength())
    288288            return false;
     
    298298       
    299299    case ALL_DOUBLE_INDEXING_TYPES: {
    300         Butterfly* butterfly = thisObject->m_butterfly;
     300        Butterfly* butterfly = thisObject->butterfly();
    301301        if (i >= butterfly->vectorLength())
    302302            return false;
     
    438438       
    439439    case ALL_CONTIGUOUS_INDEXING_TYPES: {
    440         Butterfly* butterfly = thisObject->m_butterfly;
     440        Butterfly* butterfly = thisObject->butterfly();
    441441        if (propertyName >= butterfly->vectorLength())
    442442            break;
     
    461461            return;
    462462        }
    463         Butterfly* butterfly = thisObject->m_butterfly;
     463        Butterfly* butterfly = thisObject->butterfly();
    464464        if (propertyName >= butterfly->vectorLength())
    465465            break;
     
    550550    Butterfly* newButterfly = storage->butterfly()->resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(0));
    551551    RELEASE_ASSERT(newButterfly);
    552    
    553     m_butterfly = newButterfly;
    554552    newButterfly->arrayStorage()->m_indexBias = 0;
    555553    newButterfly->arrayStorage()->setVectorLength(0);
    556554    newButterfly->arrayStorage()->m_sparseMap.set(vm, this, map);
     555    setButterflyWithoutChangingStructure(vm, newButterfly);
    557556   
    558557    return newButterfly->arrayStorage();
     
    602601    unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
    603602    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
    604         m_butterfly, vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
     603        m_butterfly.get(), vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
    605604        elementSize * vectorLength);
    606605    newButterfly->setPublicLength(length);
     
    653652    ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
    654653    Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
    655         m_butterfly, vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
     654        m_butterfly.get(), vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
    656655        ArrayStorage::sizeFor(vectorLength));
    657656    RELEASE_ASSERT(newButterfly);
     
    12971296    case ALL_INT32_INDEXING_TYPES:
    12981297    case ALL_CONTIGUOUS_INDEXING_TYPES: {
    1299         Butterfly* butterfly = thisObject->m_butterfly;
     1298        Butterfly* butterfly = thisObject->butterfly();
    13001299        if (i >= butterfly->vectorLength())
    13011300            return true;
     
    13051304       
    13061305    case ALL_DOUBLE_INDEXING_TYPES: {
    1307         Butterfly* butterfly = thisObject->m_butterfly;
     1306        Butterfly* butterfly = thisObject->butterfly();
    13081307        if (i >= butterfly->vectorLength())
    13091308            return true;
     
    14811480    case ALL_INT32_INDEXING_TYPES:
    14821481    case ALL_CONTIGUOUS_INDEXING_TYPES: {
    1483         Butterfly* butterfly = object->m_butterfly;
     1482        Butterfly* butterfly = object->butterfly();
    14841483        unsigned usedLength = butterfly->publicLength();
    14851484        for (unsigned i = 0; i < usedLength; ++i) {
     
    14921491       
    14931492    case ALL_DOUBLE_INDEXING_TYPES: {
    1494         Butterfly* butterfly = object->m_butterfly;
     1493        Butterfly* butterfly = object->butterfly();
    14951494        unsigned usedLength = butterfly->publicLength();
    14961495        for (unsigned i = 0; i < usedLength; ++i) {
     
    18761875    if (i >= MAX_ARRAY_INDEX - 1
    18771876        || (i >= MIN_SPARSE_ARRAY_INDEX
    1878             && !isDenseEnoughForVector(i, countElements<indexingShape>(m_butterfly)))
     1877            && !isDenseEnoughForVector(i, countElements<indexingShape>(butterfly())))
    18791878        || indexIsSufficientlyBeyondLengthForSparseMap(i, m_butterfly->vectorLength())) {
    18801879        ASSERT(i <= MAX_ARRAY_INDEX);
     
    23132312       
    23142313    case ALL_INT32_INDEXING_TYPES:
    2315         return countElements<Int32Shape>(m_butterfly);
     2314        return countElements<Int32Shape>(butterfly());
    23162315       
    23172316    case ALL_DOUBLE_INDEXING_TYPES:
    2318         return countElements<DoubleShape>(m_butterfly);
     2317        return countElements<DoubleShape>(butterfly());
    23192318       
    23202319    case ALL_CONTIGUOUS_INDEXING_TYPES:
    2321         return countElements<ContiguousShape>(m_butterfly);
     2320        return countElements<ContiguousShape>(butterfly());
    23222321       
    23232322    default:
     
    23532352        if (!newButterfly)
    23542353            return false;
    2355         m_butterfly = newButterfly;
    23562354        newButterfly->arrayStorage()->setVectorLength(newVectorLength);
     2355        setButterflyWithoutChangingStructure(vm, newButterfly);
    23572356        return true;
    23582357    }
     
    23672366    if (!newButterfly)
    23682367        return false;
    2369    
    2370     m_butterfly = newButterfly;
    23712368    newButterfly->arrayStorage()->setVectorLength(newVectorLength);
    23722369    newButterfly->arrayStorage()->m_indexBias = newIndexBias;
     2370    setButterflyWithoutChangingStructure(vm, newButterfly);
    23732371    return true;
    23742372}
     
    23852383    unsigned oldVectorLength = m_butterfly->vectorLength();
    23862384    DeferGC deferGC(vm.heap);
    2387     m_butterfly = m_butterfly->growArrayRight(
     2385    m_butterfly.set(vm, this, m_butterfly->growArrayRight(
    23882386        vm, this, structure(), structure()->outOfLineCapacity(), true,
    23892387        oldVectorLength * sizeof(EncodedJSValue),
    2390         newVectorLength * sizeof(EncodedJSValue));
     2388        newVectorLength * sizeof(EncodedJSValue)));
     2389
     2390    m_butterfly->setVectorLength(newVectorLength);
     2391
    23912392    if (hasDouble(structure()->indexingType())) {
    23922393        for (unsigned i = oldVectorLength; i < newVectorLength; ++i)
    23932394            m_butterfly->contiguousDouble().data()[i] = QNaN;
    23942395    }
    2395     m_butterfly->setVectorLength(newVectorLength);
    23962396}
    23972397
Note: See TracChangeset for help on using the changeset viewer.