Changeset 47022 in webkit for trunk/JavaScriptCore/runtime/JSCell.h

Timestamp:

Aug 10, 2009, 9:35:02 PM (16 years ago)

Author:

[email protected]

Message:

Stack overflow crash in JavaScript garbage collector mark pass
​https://bugs.webkit.org/show_bug.cgi?id=12216

Reviewed by Gavin Barraclough and Sam Weinig

Make the GC mark phase iterative by using an explicit mark stack.
To do this marking any single object is performed in multiple stages

• The object is appended to the MarkStack, this sets the marked bit for the object using the new markDirect() function, and then returns
• When the MarkStack is drain()ed the object is popped off the stack and markChildren(MarkStack&) is called on the object to collect all of its children. drain() then repeats until the stack is empty.

Additionally I renamed a number of methods from 'mark' to 'markAggregate'
in order to make it more clear that marking of those object was not
going to result in an actual recursive mark.

File:

• trunk/JavaScriptCore/runtime/JSCell.h (modified) (6 diffs)

trunk/JavaScriptCore/runtime/JSCell.h

@@ -2 +2 @@
  *  Copyright (C) 1999-2001 Harri Porten ([email protected])
  *  Copyright (C) 2001 Peter Kelly ([email protected])
- *  Copyright (C) 2003, 2004, 2005, 2007, 2008 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003, 2004, 2005, 2007, 2008, 2009 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
@@ -86 +86 @@
         void* operator new(size_t, JSGlobalData*);
         void* operator new(size_t, void* placementNewDestination) { return placementNewDestination; }
-        virtual void mark();
+
+        void markCellDirect();
+        virtual void markChildren(MarkStack&);
         bool marked() const;
 
@@ -154 +156 @@
     }
 
-    inline void JSCell::mark()
-    {
-        return Heap::markCell(this);
+    inline void JSCell::markCellDirect()
+    {
+        Heap::markCell(this);
+    }
+
+    inline void JSCell::markChildren(MarkStack&)
+    {
+        ASSERT(marked());
     }
 
@@ -225 +232 @@
     }
 
-    inline void JSValue::mark()
-    {
-        asCell()->mark(); // callers should check !marked() before calling mark(), so this should only be called with cells
+    inline void JSValue::markDirect()
+    {
+        ASSERT(!marked());
+        asCell()->markCellDirect();
+    }
+
+    inline void JSValue::markChildren(MarkStack& markStack)
+    {
+        ASSERT(marked());
+        asCell()->markChildren(markStack);
     }
 
@@ -340 +354 @@
         return JSValue();
     }
+    
+    inline bool JSValue::hasChildren() const
+    {
+        return asCell()->structure()->typeInfo().type() >= CompoundType;
+    }
+    
 
     inline JSObject* JSValue::toObject(ExecState* exec) const
@@ -351 +371 @@
     }
 
+    ALWAYS_INLINE void MarkStack::append(JSCell* cell)
+    {
+        ASSERT(cell);
+        if (cell->marked())
+            return;
+        cell->markCellDirect();
+        if (cell->structure()->typeInfo().type() >= CompoundType)
+            m_values.append(cell);
+    }
+
+    inline void MarkStack::drain() {
+        while (!m_markSets.isEmpty() || !m_values.isEmpty()) {
+            while ((!m_markSets.isEmpty()) && m_values.size() < 50) {
+                const MarkSet& current = m_markSets.removeLast();
+                JSValue* ptr = current.m_values;
+                JSValue* end = current.m_end;
+                if (current.m_properties == NoNullValues) {
+                    while (ptr != end)
+                        append(*ptr++);
+                } else {
+                    while (ptr != end) {
+                        if (JSValue value = *ptr++)
+                            append(value);
+                    }
+                }
+            }
+            while (!m_values.isEmpty()) {
+                JSCell* current = m_values.removeLast();
+                ASSERT(current->marked());
+                current->markChildren(*this);
+            }
+        }
+    }
 } // namespace JSC