Changeset 295624 in webkit for trunk/Source/JavaScriptCore/heap


Ignore:
Timestamp:
Jun 16, 2022, 7:20:29 PM (3 years ago)
Author:
[email protected]
Message:

The extraMemorySize() get wrong when transferring ArrayBuffer from Worker VM
https://bugs.webkit.org/show_bug.cgi?id=241559

Reviewed by Yusuke Suzuki.

When ArrayBuffer is passed in the transfer option of postMessage(), the size cached in
heap.m_arrayBuffers get incorrect and that makes extraMemorySize() bigger than actual
managed size.

This patch added the code to reduce size from GCIncomingRefCountedSet.m_bytes when
ArrayBuffer is actually transferring from VM.

Also for verification, added a simple check code in GCIncomingRefCountedSet.addReference
with constexpr flag.

  • Source/JavaScriptCore/heap/GCIncomingRefCountedSet.h:
  • Source/JavaScriptCore/heap/GCIncomingRefCountedSetInlines.h:

(JSC::GCIncomingRefCountedSet<T>::sweep):
(JSC::GCIncomingRefCountedSet<T>::reduceSize):

  • Source/JavaScriptCore/heap/Heap.cpp:

(JSC::Heap::reduceArrayBufferSize):

  • Source/JavaScriptCore/heap/Heap.h:
  • Source/JavaScriptCore/runtime/ArrayBuffer.cpp:

(JSC::ArrayBuffer::transferTo):

Canonical link: https://commits.webkit.org/251629@main

Location:
trunk/Source/JavaScriptCore/heap
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/heap/GCIncomingRefCountedSet.h

    r243467 r295624  
    4545   
    4646    size_t size() const { return m_bytes; };
     47    void reduceSize(size_t);
    4748   
    4849private:

  • trunk/Source/JavaScriptCore/heap/GCIncomingRefCountedSetInlines.h

    r243467 r295624  
    7373        m_vector.removeLast();
    7474    }
     75
     76    constexpr bool verify = false;
     77    if constexpr (verify) {
     78        CheckedSize size;
     79        for (size_t i = m_vector.size(); i--;) {
     80            T* object = m_vector[i];
     81            size += object->gcSizeEstimateInBytes();
     82        }
     83        ASSERT(m_bytes == size);
     84    }
     85}
     86
     87template<typename T>
     88void GCIncomingRefCountedSet<T>::reduceSize(size_t bytes)
     89{
     90    ASSERT(m_bytes >= bytes);
     91    m_bytes -= bytes;
    7592}
    7693

  • trunk/Source/JavaScriptCore/heap/Heap.cpp

    r293710 r295624  
    660660}
    661661
     662void Heap::reduceArrayBufferSize(size_t bytes)
     663{
     664    m_arrayBuffers.reduceSize(bytes);
     665}
     666
    662667template<typename CellType, typename CellSet>
    663668void Heap::finalizeMarkedUnconditionalFinalizers(CellSet& cellSet)

  • trunk/Source/JavaScriptCore/heap/Heap.h

    r293637 r295624  
    440440   
    441441    void addReference(JSCell*, ArrayBuffer*);
     442    void reduceArrayBufferSize(size_t bytes);
    442443   
    443444    bool isDeferred() const { return !!m_deferralDepth; }
Note: See TracChangeset for help on using the changeset viewer.