Changeset 94477 in webkit for trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

Timestamp:

Sep 2, 2011, 10:14:04 PM (14 years ago)

Author:

[email protected]

Message:

ValueProfile does not make it safe to introspect cell values
after garbage collection
​https://bugs.webkit.org/show_bug.cgi?id=67354

Reviewed by Gavin Barraclough.

ValueProfile buckets are now weak references, implemented using a
light-weight weak reference mechanism that this patch also adds (the
WeakReferenceHarvester). If a cell stored in a ValueProfile bucket
is not marked, then the bucket is transformed into a Structure
pointer. If the Structure is not marked either, then it is turned
into a ClassInfo pointer.

• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::~CodeBlock):
(JSC::CodeBlock::visitAggregate):
(JSC::CodeBlock::visitWeakReferences):

• bytecode/CodeBlock.h:
• bytecode/ValueProfile.h:

(JSC::ValueProfile::ValueProfile):
(JSC::ValueProfile::classInfo):
(JSC::ValueProfile::numberOfInt32s):
(JSC::ValueProfile::numberOfDoubles):
(JSC::ValueProfile::numberOfCells):
(JSC::ValueProfile::numberOfArrays):
(JSC::ValueProfile::probabilityOfArray):
(JSC::ValueProfile::WeakBucket::WeakBucket):
(JSC::ValueProfile::WeakBucket::operator!):
(JSC::ValueProfile::WeakBucket::isEmpty):
(JSC::ValueProfile::WeakBucket::isClassInfo):
(JSC::ValueProfile::WeakBucket::isStructure):
(JSC::ValueProfile::WeakBucket::asStructure):
(JSC::ValueProfile::WeakBucket::asClassInfo):
(JSC::ValueProfile::WeakBucket::getClassInfo):

• heap/Heap.cpp:

(JSC::Heap::harvestWeakReferences):
(JSC::Heap::markRoots):

• heap/Heap.h:
• heap/MarkStack.cpp:

(JSC::SlotVisitor::drain):
(JSC::SlotVisitor::harvestWeakReferences):

• heap/MarkStack.h:

(JSC::MarkStack::addWeakReferenceHarvester):
(JSC::MarkStack::MarkStack):
(JSC::MarkStack::appendUnbarrieredPointer):

• heap/SlotVisitor.h:
• heap/WeakReferenceHarvester.h: Added.

(JSC::WeakReferenceHarvester::WeakReferenceHarvester):
(JSC::WeakReferenceHarvester::~WeakReferenceHarvester):

File:

• trunk/Source/JavaScriptCore/bytecode/ValueProfile.h (modified) (7 diffs)

trunk/Source/JavaScriptCore/bytecode/ValueProfile.h

@@ -30 +30 @@
 #define ValueProfile_h
 
+#include "JSArray.h"
+#include "Structure.h"
 #include "WriteBarrier.h"
 
@@ -46 +48 @@
     {
         for (unsigned i = 0; i < numberOfBuckets; ++i)
-            buckets[i].setWithoutWriteBarrier(JSValue());
+            buckets[i] = JSValue::encode(JSValue());
+    }
+    
+    const ClassInfo* classInfo(unsigned bucket) const
+    {
+        if (!!buckets[bucket]) {
+            JSValue value = JSValue::decode(buckets[bucket]);
+            if (!value.isCell())
+                return 0;
+            return value.asCell()->structure()->classInfo();
+        }
+        return weakBuckets[bucket].getClassInfo();
     }
     
@@ -53 +66 @@
         unsigned result = 0;
         for (unsigned i = 0; i < numberOfBuckets; ++i) {
-            if (!!buckets[i])
+            if (!!buckets[i] || !!weakBuckets[i])
                 result++;
         }
@@ -70 +83 @@
         unsigned result = 0;
         for (unsigned i = 0; i < numberOfBuckets; ++i) {
-            if (!!buckets[i] && buckets[i].get().isInt32())
+            if (!!buckets[i] && JSValue::decode(buckets[i]).isInt32())
                 result++;
         }
@@ -80 +93 @@
         unsigned result = 0;
         for (unsigned i = 0; i < numberOfBuckets; ++i) {
-            if (!!buckets[i] && buckets[i].get().isDouble())
+            if (!!buckets[i] && JSValue::decode(buckets[i]).isDouble())
                 result++;
         }
@@ -90 +103 @@
         unsigned result = 0;
         for (unsigned i = 0; i < numberOfBuckets; ++i) {
-            if (!!buckets[i] && buckets[i].get().isCell())
+            if (!!classInfo(i))
+                result++;
+        }
+        return result;
+    }
+    
+    unsigned numberOfArrays() const
+    {
+        unsigned result = 0;
+        for (unsigned i = 0; i < numberOfBuckets; ++i) {
+            if (classInfo(i) == &JSArray::s_info)
                 result++;
         }
@@ -116 +139 @@
     }
     
+    unsigned probabilityOfArray() const
+    {
+        return computeProbability(numberOfArrays(), numberOfSamples());
+    }
+    
     int bytecodeOffset; // -1 for prologue
-    WriteBarrierBase<Unknown> buckets[numberOfBuckets];
+    EncodedJSValue buckets[numberOfBuckets];
+    
+    class WeakBucket {
+    public:
+        WeakBucket()
+            : m_value(0)
+        {
+        }
+        
+        WeakBucket(Structure* structure)
+            : m_value(reinterpret_cast<uintptr_t>(structure))
+        {
+        }
+        
+        WeakBucket(const ClassInfo* classInfo)
+            : m_value(reinterpret_cast<uintptr_t>(classInfo) | 1)
+        {
+        }
+        
+        bool operator!() const
+        {
+            return !m_value;
+        }
+        
+        bool isEmpty() const
+        {
+            return !m_value;
+        }
+        
+        bool isClassInfo() const
+        {
+            return !!(m_value & 1);
+        }
+        
+        bool isStructure() const
+        {
+            return !isEmpty() && !isClassInfo();
+        }
+        
+        Structure* asStructure() const
+        {
+            ASSERT(isStructure());
+            return reinterpret_cast<Structure*>(m_value);
+        }
+        
+        const ClassInfo* asClassInfo() const
+        {
+            ASSERT(isClassInfo());
+            return reinterpret_cast<ClassInfo*>(m_value & ~static_cast<uintptr_t>(1));
+        }
+        
+        const ClassInfo* getClassInfo() const
+        {
+            if (isEmpty())
+                return 0;
+            if (isClassInfo())
+                return asClassInfo();
+            return asStructure()->classInfo();
+        }
+        
+    private:
+        uintptr_t m_value;
+    };
+    
+    WeakBucket weakBuckets[numberOfBuckets]; // this is not covered by a write barrier because it is only set from GC
 };