Changeset 94477 in webkit for trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

Timestamp:

Sep 2, 2011, 10:14:04 PM (14 years ago)

Author:

[email protected]

Message:

ValueProfile does not make it safe to introspect cell values
after garbage collection
​https://bugs.webkit.org/show_bug.cgi?id=67354

Reviewed by Gavin Barraclough.

ValueProfile buckets are now weak references, implemented using a
light-weight weak reference mechanism that this patch also adds (the
WeakReferenceHarvester). If a cell stored in a ValueProfile bucket
is not marked, then the bucket is transformed into a Structure
pointer. If the Structure is not marked either, then it is turned
into a ClassInfo pointer.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitAggregate):
(JSC::CodeBlock::visitWeakReferences):

• bytecode/CodeBlock.h:
• bytecode/ValueProfile.h:

(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::classInfo):
(JSC::ValueProfile::numberOfInt32s):
(JSC::ValueProfile::numberOfDoubles):
(JSC::ValueProfile::numberOfCells):
(JSC::ValueProfile::numberOfArrays):
(JSC::ValueProfile::probabilityOfArray):
(JSC::ValueProfile::WeakBucket::WeakBucket):
(JSC::ValueProfile::WeakBucket::operator!):
(JSC::ValueProfile::WeakBucket::isEmpty):
(JSC::ValueProfile::WeakBucket::isClassInfo):
(JSC::ValueProfile::WeakBucket::isStructure):
(JSC::ValueProfile::WeakBucket::asStructure):
(JSC::ValueProfile::WeakBucket::asClassInfo):
(JSC::ValueProfile::WeakBucket::getClassInfo):

• heap/Heap.cpp:

(JSC::Heap::harvestWeakReferences):
(JSC::Heap::markRoots):

• heap/Heap.h:
• heap/MarkStack.cpp:

(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::harvestWeakReferences):

• heap/MarkStack.h:

(JSC::MarkStack::addWeakReferenceHarvester):
(JSC::MarkStack::MarkStack):
(JSC::MarkStack::appendUnbarrieredPointer):

• heap/SlotVisitor.h:
• heap/WeakReferenceHarvester.h: Added.

(JSC::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::WeakReferenceHarvester::~WeakReferenceHarvester):

File:

• trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (3 diffs)

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

@@ -1434 +1434 @@
 {
 #if ENABLE(VERBOSE_VALUE_PROFILE)
-    printf("ValueProfile for %p:\n", this);
+    fprintf(stderr, "ValueProfile for %p:\n", this);
     for (unsigned i = 0; i < numberOfValueProfiles(); ++i) {
         ValueProfile* profile = valueProfile(i);
         if (profile->bytecodeOffset < 0) {
             ASSERT(profile->bytecodeOffset == -1);
-            printf("   arg = %u: ", i + 1);
+            fprintf(stderr, "   arg = %u: ", i + 1);
         } else
-            printf("   bc = %d: ", profile->bytecodeOffset);
-        printf("samples = %u, int32 = %u, double = %u, cell = %u\n",
-               profile->numberOfSamples(),
-               profile->probabilityOfInt32(),
-               profile->probabilityOfDouble(),
-               profile->probabilityOfCell());
+            fprintf(stderr, "   bc = %d: ", profile->bytecodeOffset);
+        fprintf(stderr,
+                "samples = %u, int32 = %u, double = %u, cell = %u, array = %u\n",
+                profile->numberOfSamples(),
+                profile->probabilityOfInt32(),
+                profile->probabilityOfDouble(),
+                profile->probabilityOfCell(),
+                profile->probabilityOfArray());
     }
 #endif
@@ -1516 +1518 @@
 void CodeBlock::visitAggregate(SlotVisitor& visitor)
 {
+    bool handleWeakReferences = false;
+    
     visitor.append(&m_globalObject);
     visitor.append(&m_ownerExecutable);
@@ -1563 +1567 @@
     }
 #endif
+
+#if ENABLE(VALUE_PROFILER)
+    for (unsigned profileIndex = 0; profileIndex < numberOfValueProfiles(); ++profileIndex) {
+        ValueProfile* profile = valueProfile(profileIndex);
+        
+        for (unsigned index = 0; index < ValueProfile::numberOfBuckets; ++index) {
+            if (!profile->buckets[index]) {
+                if (!!profile->weakBuckets[index])
+                    handleWeakReferences = true;
+                continue;
+            }
+            
+            if (!JSValue::decode(profile->buckets[index]).isCell()) {
+                profile->weakBuckets[index] = ValueProfile::WeakBucket();
+                continue;
+            }
+            
+            handleWeakReferences = true;
+        }
+    }
+#endif
+    
+    if (handleWeakReferences)
+        visitor.addWeakReferenceHarvester(this);
+}
+
+void CodeBlock::visitWeakReferences(SlotVisitor&)
+{
+#if ENABLE(VALUE_PROFILER)
+    for (unsigned profileIndex = 0; profileIndex < numberOfValueProfiles(); ++profileIndex) {
+        ValueProfile* profile = valueProfile(profileIndex);
+        
+        for (unsigned index = 0; index < ValueProfile::numberOfBuckets; ++index) {
+            if (!!profile->buckets[index]) {
+                JSValue value = JSValue::decode(profile->buckets[index]);
+                if (!value.isCell())
+                    continue;
+                
+                JSCell* cell = value.asCell();
+                if (Heap::isMarked(cell))
+                    continue;
+                
+                profile->buckets[index] = JSValue::encode(JSValue());
+                profile->weakBuckets[index] = cell->structure();
+            }
+            
+            ValueProfile::WeakBucket weak = profile->weakBuckets[index];
+            if (!weak || weak.isClassInfo())
+                continue;
+            
+            ASSERT(weak.isStructure());
+            if (Heap::isMarked(weak.asStructure()))
+                continue;
+            
+            profile->weakBuckets[index] = weak.asStructure()->classInfo();
+        }
+    }
+#endif
 }