Changeset 295624 in webkit for trunk/Source/JavaScriptCore/heap/GCIncomingRefCountedSetInlines.h

Timestamp:

Jun 16, 2022, 7:20:29 PM (3 years ago)

Author:

[email protected]

Message:

The extraMemorySize() get wrong when transferring ArrayBuffer from Worker VM
​https://bugs.webkit.org/show_bug.cgi?id=241559

Reviewed by Yusuke Suzuki.

When ArrayBuffer is passed in the transfer option of postMessage(), the size cached in
heap.m_arrayBuffers get incorrect and that makes extraMemorySize() bigger than actual
managed size.

This patch added the code to reduce size from GCIncomingRefCountedSet.m_bytes when
ArrayBuffer is actually transferring from VM.

Also for verification, added a simple check code in GCIncomingRefCountedSet.addReference
with constexpr flag.

• Source/JavaScriptCore/heap/GCIncomingRefCountedSet.h:
• Source/JavaScriptCore/heap/GCIncomingRefCountedSetInlines.h:

(JSC::GCIncomingRefCountedSet<T>::sweep):
(JSC::GCIncomingRefCountedSet<T>::reduceSize):

• Source/JavaScriptCore/heap/Heap.cpp:

(JSC::Heap::reduceArrayBufferSize):

• Source/JavaScriptCore/heap/Heap.h:
• Source/JavaScriptCore/runtime/ArrayBuffer.cpp:

(JSC::ArrayBuffer::transferTo):

Canonical link: ​https://commits.webkit.org/251629@main

File:

• trunk/Source/JavaScriptCore/heap/GCIncomingRefCountedSetInlines.h (modified) (1 diff)

trunk/Source/JavaScriptCore/heap/GCIncomingRefCountedSetInlines.h

@@ -73 +73 @@
         m_vector.removeLast();
     }
+
+    constexpr bool verify = false;
+    if constexpr (verify) {
+        CheckedSize size;
+        for (size_t i = m_vector.size(); i--;) {
+            T* object = m_vector[i];
+            size += object->gcSizeEstimateInBytes();
+        }
+        ASSERT(m_bytes == size);
+    }
+}
+
+template<typename T>
+void GCIncomingRefCountedSet<T>::reduceSize(size_t bytes)
+{
+    ASSERT(m_bytes >= bytes);
+    m_bytes -= bytes;
 }