Ignore:
Timestamp:
Aug 1, 2019, 6:58:11 PM (6 years ago)
Author:
[email protected]
Message:

Add crash diagnostics for debugging unexpected zapped cells.
https://bugs.webkit.org/show_bug.cgi?id=200149
<rdar://problem/53570112>

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

Add a check for zapped cells in SlotVisitor::appendToMarkStack() and
SlotVisitor::visitChildren(). If a zapped cell is detected, we will crash with
some diagnostic info.

To facilitate this, we've made the following changes:

  1. Changed FreeCell to preserve the 1st 8 bytes. This is fine to do because all cells are at least 16 bytes long.
  2. Changed HeapCell::zap() to only zap the structureID. Leave the rest of the cell header info intact (including the cell JSType).
  3. Changed HeapCell::zap() to record the reason for zapping the cell. We stash the reason immediately after the first 8 bytes. This is the same location as FreeCell::scrambledNext. However, since a cell is not expected to be zapped and on the free list at the same time, it is also fine to do this.
  4. Added a few utility functions to MarkedBlock for checking if a cell points into the block.
  5. Added VMInspector and JSDollarVM utilities to dump in-use subspace hashes.
  6. Added some comments to document the hashes of known subspaces.
  7. Added Options::dumpZappedCellCrashData() to make this check conditional. We use this option to disable this check for slower machines so that their PLT5 performance is not impacted.
  • assembler/CPU.cpp:

(JSC::hwL3CacheSize):
(JSC::hwPhysicalCPUMax):

  • assembler/CPU.h:

(JSC::hwL3CacheSize):
(JSC::hwPhysicalCPUMax):

  • heap/FreeList.h:

(JSC::FreeCell::offsetOfScrambledNext):

  • heap/HeapCell.h:

(JSC::HeapCell::zap):
(JSC::HeapCell::isZapped const):

  • heap/MarkedBlock.cpp:

(JSC::MarkedBlock::Handle::stopAllocating):

  • heap/MarkedBlock.h:

(JSC::MarkedBlock::Handle::start const):
(JSC::MarkedBlock::Handle::end const):
(JSC::MarkedBlock::Handle::contains const):

  • heap/MarkedBlockInlines.h:

(JSC::MarkedBlock::Handle::specializedSweep):

  • heap/MarkedSpace.h:

(JSC::MarkedSpace::forEachSubspace):

  • heap/SlotVisitor.cpp:

(JSC::SlotVisitor::appendToMarkStack):
(JSC::SlotVisitor::visitChildren):
(JSC::SlotVisitor::reportZappedCellAndCrash):

  • heap/SlotVisitor.h:
  • jit/AssemblyHelpers.cpp:

(JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):

  • runtime/Options.cpp:

(JSC::Options::initialize):

  • runtime/Options.h:
  • runtime/VM.cpp:

(JSC::VM::VM):

  • tools/JSDollarVM.cpp:

(JSC::functionDumpSubspaceHashes):
(JSC::JSDollarVM::finishCreation):

  • tools/VMInspector.cpp:

(JSC::VMInspector::dumpSubspaceHashes):

  • tools/VMInspector.h:

Source/WebCore:

No new tests because this is a feature for debugging crashes. It has been tested
manually by modifying the code to force a crash at the point of interest.

Added some comments to document the hashes of known subspaces.

  • bindings/js/WebCoreJSClientData.cpp:

(WebCore::JSVMClientData::JSVMClientData):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/heap/HeapCell.h

    r247900 r248143  
    11/*
    2  * Copyright (C) 2016-2018 Apple Inc. All rights reserved.
     2 * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    4848    HeapCell() { }
    4949   
    50     void zap() { *reinterpret_cast_ptr<uintptr_t**>(this) = 0; }
    51     bool isZapped() const { return !*reinterpret_cast_ptr<uintptr_t* const*>(this); }
     50    // We're intentionally only zapping the bits for the structureID and leaving
     51    // the rest of the cell header bits intact for crash analysis uses.
     52    enum ZapReason : int8_t { Unspecified, Destruction, StopAllocating };
     53    void zap(ZapReason reason)
     54    {
     55        uint32_t* cellWords = bitwise_cast<uint32_t*>(this);
     56        cellWords[0] = 0;
     57        // Leaving cellWords[1] alone for crash analysis if needed.
     58        cellWords[2] = reason;
     59    }
     60    bool isZapped() const { return !*bitwise_cast<const uint32_t*>(this); }
    5261
    5362    bool isLive();
Note: See TracChangeset for help on using the changeset viewer.