Context Navigation

← Previous Change
Next Change →

ArrayAllocationProfile.cpp

Timestamp:

May 22, 2019, 6:22:33 PM (6 years ago)

Author:

Message:

[JSC] ArrayAllocationProfile should not access to butterfly in concurrent compiler
https://bugs.webkit.org/show_bug.cgi?id=197809

Reviewed by Michael Saboff.

JSTests:

stress/array-allocation-profile-should-not-update-itself-in-concurrent-compiler.js: Added.

(foo):

Source/JavaScriptCore:

ArrayAllocationProfile assumes that Butterfly can be accessed concurrently. But this is not correct now
since LargeAllocation Butterfly can be realloced. In this patch, we switch profiling array allocations
only in the main thread. This allocation profiling is repeatedly called in the main thread's slow path,
and it is also called when updating the profiles in the main thread.

We also rename updateAllPredictionsAndCountLiveness to updateAllValueProfilePredictionsAndCountLiveness
since it only cares ValueProfiles.

bytecode/ArrayAllocationProfile.cpp:

(JSC::ArrayAllocationProfile::updateProfile):

bytecode/ArrayAllocationProfile.h:

(JSC::ArrayAllocationProfile::selectIndexingTypeConcurrently):
(JSC::ArrayAllocationProfile::selectIndexingType):
(JSC::ArrayAllocationProfile::vectorLengthHintConcurrently):
(JSC::ArrayAllocationProfile::vectorLengthHint):

bytecode/CodeBlock.cpp:

(JSC::CodeBlock::updateAllValueProfilePredictionsAndCountLiveness):
(JSC::CodeBlock::updateAllValueProfilePredictions):
(JSC::CodeBlock::shouldOptimizeNow):
(JSC::CodeBlock::updateAllPredictionsAndCountLiveness): Deleted.

bytecode/CodeBlock.h:
dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

File:

: 1 edited

trunk/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp

-              r232070
+              r245667
     //   be freed, since we require the GC to wait until all concurrent JITing
     //   finishes.
+    //
+    // But one exception is vector length. We access vector length to get the vector
+    // length hint. However vector length can be accessible only from the main
+    // thread because large butterfly can be realloced in the main thread.
+    // So for now, we update the allocation profile only from the main thread.
+    ASSERT(!isCompilationThread());
     JSArray* lastArray = m_lastArray;
     if (!lastArray)

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 245667 in webkit for trunk/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp

Legend:

trunk/Source/JavaScriptCore/bytecode/ArrayAllocationProfile.cpp

Download in other formats: