Ignore:
Timestamp:
Nov 4, 2019, 3:57:34 PM (6 years ago)
Author:
[email protected]
Message:

Don't use memmove/memcpy/memset for memory that can be scanned concurrently
https://bugs.webkit.org/show_bug.cgi?id=203228
<rdar://problem/56401852>

Reviewed by Robin Morisset.

JSTests:

  • stress/torn-js-value-concurrent-collector.js: Added.

(foo):

Source/JavaScriptCore:

We had code inside various places of the runtime which would call into system
memcpy/memmove/memset when updating a live butterfly. This means that the
concurrent collector could be scanning such butterflies while a memcpy/memmove/memset
was running. Those functions don't guarantee anything about the minimum
alignment of the stores they do. And implementations for them frequently have
byte copy loops for low byte copy counts. This lead to us seeing torn JSValues
inside the concurrent collector during Array.prototype.splice. This patch
introduces new functions for doing memcpy/memmove/memset for data structures
which may be concurrently scanned. The loops are written using inline assembly
for gcc compatible compilers on 64 bit platforms. The inline assembly
ensures we never write to memory using instructions that store fewer
than 8 bytes. On other platforms, we just use a volatile pointer to
ensure the compiler doesn't turn the loop into a function call or a
series of stores which may be smaller than 8 bytes.

  • CMakeLists.txt:
  • JavaScriptCore.xcodeproj/project.pbxproj:
  • heap/GCMemoryOperations.h: Added.

(JSC::gcSafeMemcpy):
(JSC::gcSafeMemmove):
(JSC::gcSafeZeroMemory):

  • heap/Heap.h:
  • runtime/ArrayConventions.cpp:

(JSC::clearArrayMemset):

  • runtime/ArrayPrototype.cpp:

(JSC::copyElements):

  • runtime/ButterflyInlines.h:

(JSC::Butterfly::tryCreate):
(JSC::Butterfly::createOrGrowPropertyStorage):
(JSC::Butterfly::growArrayRight):
(JSC::Butterfly::reallocArrayRightIfPossible):
(JSC::Butterfly::resizeArray):
(JSC::Butterfly::unshift):
(JSC::Butterfly::shift):

  • runtime/JSArray.cpp:

(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::appendMemcpy):
(JSC::JSArray::fastSlice):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::shiftCountWithAnyIndexingType):
(JSC::JSArray::unshiftCountWithArrayStorage):

  • runtime/JSObject.cpp:

(JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
(JSC::JSObject::convertFromCopyOnWrite):
(JSC::JSObject::shiftButterflyAfterFlattening):

  • runtime/JSObject.h:
  • runtime/RegExpMatchesArray.h:

(JSC::createRegExpMatchesArray):

  • runtime/Structure.cpp:

(JSC::Structure::flattenDictionaryStructure):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r252021 r252024  
     12019-11-04  Saam Barati  <[email protected]>
     2
     3        Don't use memmove/memcpy/memset for memory that can be scanned concurrently
     4        https://bugs.webkit.org/show_bug.cgi?id=203228
     5        <rdar://problem/56401852>
     6
     7        Reviewed by Robin Morisset.
     8
     9        We had code inside various places of the runtime which would call into system
     10        memcpy/memmove/memset when updating a live butterfly. This means that the
     11        concurrent collector could be scanning such butterflies while a memcpy/memmove/memset
     12        was running. Those functions don't guarantee anything about the minimum
     13        alignment of the stores they do. And implementations for them frequently have
     14        byte copy loops for low byte copy counts. This lead to us seeing torn JSValues
     15        inside the concurrent collector during Array.prototype.splice. This patch
     16        introduces new functions for doing memcpy/memmove/memset for data structures
     17        which may be concurrently scanned. The loops are written using inline assembly
     18        for gcc compatible compilers on 64 bit platforms. The inline assembly
     19        ensures we never write to memory using instructions that store fewer
     20        than 8 bytes. On other platforms, we just use a volatile pointer to
     21        ensure the compiler doesn't turn the loop into a function call or a
     22        series of stores which may be smaller than 8 bytes.
     23
     24        * CMakeLists.txt:
     25        * JavaScriptCore.xcodeproj/project.pbxproj:
     26        * heap/GCMemoryOperations.h: Added.
     27        (JSC::gcSafeMemcpy):
     28        (JSC::gcSafeMemmove):
     29        (JSC::gcSafeZeroMemory):
     30        * heap/Heap.h:
     31        * runtime/ArrayConventions.cpp:
     32        (JSC::clearArrayMemset):
     33        * runtime/ArrayPrototype.cpp:
     34        (JSC::copyElements):
     35        * runtime/ButterflyInlines.h:
     36        (JSC::Butterfly::tryCreate):
     37        (JSC::Butterfly::createOrGrowPropertyStorage):
     38        (JSC::Butterfly::growArrayRight):
     39        (JSC::Butterfly::reallocArrayRightIfPossible):
     40        (JSC::Butterfly::resizeArray):
     41        (JSC::Butterfly::unshift):
     42        (JSC::Butterfly::shift):
     43        * runtime/JSArray.cpp:
     44        (JSC::JSArray::unshiftCountSlowCase):
     45        (JSC::JSArray::appendMemcpy):
     46        (JSC::JSArray::fastSlice):
     47        (JSC::JSArray::shiftCountWithArrayStorage):
     48        (JSC::JSArray::shiftCountWithAnyIndexingType):
     49        (JSC::JSArray::unshiftCountWithArrayStorage):
     50        * runtime/JSObject.cpp:
     51        (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
     52        (JSC::JSObject::convertFromCopyOnWrite):
     53        (JSC::JSObject::shiftButterflyAfterFlattening):
     54        * runtime/JSObject.h:
     55        * runtime/RegExpMatchesArray.h:
     56        (JSC::createRegExpMatchesArray):
     57        * runtime/Structure.cpp:
     58        (JSC::Structure::flattenDictionaryStructure):
     59
    1602019-11-04  Truitt Savell  <[email protected]>
    261
Note: See TracChangeset for help on using the changeset viewer.