Changeset 51624 in webkit for trunk/JavaScriptCore/runtime

Timestamp:

Dec 2, 2009, 10:25:58 PM (15 years ago)

Author:

[email protected]

Message:

Add zombies to JSC
​https://bugs.webkit.org/show_bug.cgi?id=32103

Reviewed by Gavin Barraclough.

Add a compile time flag to make the JSC collector replace "unreachable"
objects with zombie objects. The zombie object is a JSCell subclass that
ASSERTs on any attempt to use the JSCell methods. In addition there are
a number of additional assertions in bottleneck code to catch zombie usage
as quickly as possible.

Grrr. Argh. Brains.

Location:

trunk/JavaScriptCore/runtime

Files:

• ArgList.h (modified) (2 diffs)
• Collector.cpp (modified) (6 diffs)
• Collector.h (modified) (1 diff)
• JSCell.h (modified) (3 diffs)
• JSValue.h (modified) (6 diffs)

trunk/JavaScriptCore/runtime/ArgList.h

@@ -105 +105 @@
         {
             ASSERT(!m_isReadOnly);
-            
+
+#if ENABLE(JSC_ZOMBIES)
+            ASSERT(!v.isZombie());
+#endif
+
             if (m_isUsingInlineBuffer && m_size < inlineCapacity) {
                 m_vector.uncheckedAppend(v);
@@ -188 +192 @@
             , m_argCount(argCount)
         {
+#if ENABLE(JSC_ZOMBIES)
+            for (size_t i = 0; i < argCount; i++)
+                ASSERT(!m_args[i].isZombie());
+#endif
         }
         

trunk/JavaScriptCore/runtime/Collector.cpp

@@ -33 +33 @@
 #include "JSString.h"
 #include "JSValue.h"
+#include "JSZombie.h"
 #include "MarkStack.h"
 #include "Nodes.h"
@@ -195 +196 @@
     sweep<PrimaryHeap>();
     // No need to sweep number heap, because the JSNumber destructor doesn't do anything.
-
+#if ENABLE(JSC_ZOMBIES)
+    ASSERT(primaryHeap.numLiveObjects == primaryHeap.numZombies);
+#else
     ASSERT(!primaryHeap.numLiveObjects);
-
+#endif
     freeBlocks(&primaryHeap);
     freeBlocks(&numberHeap);
@@ -1037 +1040 @@
                         if (cell->u.freeCell.zeroIfFree == 0)
                             continue;
-                        
+#if ENABLE(JSC_ZOMBIES)
+                        if (!imp->isZombie()) {
+                            const ClassInfo* info = imp->classInfo();
+                            imp->~JSCell();
+                            new (imp) JSZombie(info, JSZombie::leakedZombieStructure());
+                            heap.numZombies++;
+                        }
+#else
                         imp->~JSCell();
+#endif
                     }
-                    
+                    --numLiveObjects;
+#if !ENABLE(JSC_ZOMBIES)
                     --usedCells;
-                    --numLiveObjects;
                     
                     // put cell on the free list
@@ -1048 +1059 @@
                     cell->u.freeCell.next = freeList - (cell + 1);
                     freeList = cell;
+#endif
                 }
             }
@@ -1060 +1072 @@
                         if (heapType != NumberHeap) {
                             JSCell* imp = reinterpret_cast<JSCell*>(cell);
+#if ENABLE(JSC_ZOMBIES)
+                            if (!imp->isZombie()) {
+                                const ClassInfo* info = imp->classInfo();
+                                imp->~JSCell();
+                                new (imp) JSZombie(info, JSZombie::leakedZombieStructure());
+                                heap.numZombies++;
+                            }
+#else
                             imp->~JSCell();
+#endif
                         }
+#if !ENABLE(JSC_ZOMBIES)
                         --usedCells;
                         --numLiveObjects;
@@ -1069 +1091 @@
                         cell->u.freeCell.next = freeList - (cell + 1); 
                         freeList = cell;
+#endif
                     }
                 }

trunk/JavaScriptCore/runtime/Collector.h

@@ -61 +61 @@
         size_t numLiveObjectsAtLastCollect;
         size_t extraCost;
+#if ENABLE(JSC_ZOMBIES)
+        size_t numZombies;
+#endif
 
         OperationInProgress operationInProgress;

trunk/JavaScriptCore/runtime/JSCell.h

@@ -43 +43 @@
         friend class JSValue;
         friend class JSAPIValueWrapper;
+        friend class JSZombie;
         friend struct VPtrSet;
 
@@ -91 +92 @@
 
         virtual void markChildren(MarkStack&);
+#if ENABLE(JSC_ZOMBIES)
+        virtual bool isZombie() const { return false; }
+#endif
 
         // Object operations, with the toObject operation included.
@@ -343 +347 @@
         return cellBlock(c)->heap;
     }
-
+    
+#if ENABLE(JSC_ZOMBIES)
+    inline bool JSValue::isZombie() const
+    {
+        return isCell() && asCell() && asCell()->isZombie();
+    }
+#endif
 } // namespace JSC
 

trunk/JavaScriptCore/runtime/JSValue.h

@@ -169 +169 @@
         uint32_t toUInt32(ExecState*, bool& ok) const;
 
+#if ENABLE(JSC_ZOMBIES)
+        bool isZombie() const;
+#endif
+
         // Floating point conversions (this is a convenience method for webcore;
         // signle precision float is not a representation used in JS or JSC).
@@ -439 +443 @@
         JSValue v;
         v.u.asEncodedJSValue = encodedJSValue;
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!v.isZombie());
+#endif
         return v;
     }
@@ -485 +492 @@
             u.asBits.tag = EmptyValueTag;
         u.asBits.payload = reinterpret_cast<int32_t>(ptr);
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!isZombie());
+#endif
     }
 
@@ -494 +504 @@
             u.asBits.tag = EmptyValueTag;
         u.asBits.payload = reinterpret_cast<int32_t>(const_cast<JSCell*>(ptr));
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!isZombie());
+#endif
     }
 
@@ -794 +807 @@
         : m_ptr(ptr)
     {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!isZombie());
+#endif
     }
 
@@ -799 +815 @@
         : m_ptr(const_cast<JSCell*>(ptr))
     {
+#if ENABLE(JSC_ZOMBIES)
+        ASSERT(!isZombie());
+#endif
     }