[webkit-changes] [WebKit/WebKit] 3e43b2: [JSC] Various improvements to the aboutToMarkSlow ...

Dan Hecht noreply at github.com
Sat Nov 16 09:56:49 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3e43b2b32ed3788fd6c0b16a527373ca8b890edc
      https://github.com/WebKit/WebKit/commit/3e43b2b32ed3788fd6c0b16a527373ca8b890edc
  Author: Dan Hecht <dan.hecht at apple.com>
  Date:   2024-11-16 (Sat, 16 Nov 2024)

  Changed paths:
    M Source/JavaScriptCore/heap/BlockDirectory.cpp
    M Source/JavaScriptCore/heap/BlockDirectory.h
    M Source/JavaScriptCore/heap/MarkedBlock.cpp
    M Source/JavaScriptCore/heap/MarkedBlock.h
    M Source/JavaScriptCore/heap/MarkedSpace.cpp
    M Source/JavaScriptCore/heap/MarkedSpace.h
    M Source/JavaScriptCore/runtime/OptionsList.h

  Log Message:
  -----------
  [JSC] Various improvements to the aboutToMarkSlow instrumentation
https://bugs.webkit.org/show_bug.cgi?id=283176
rdar://139971430

Reviewed by Mark Lam.

The MarkedBlock::Header::m_lock field sits at offset 24.
dumpInfoAndCrashForInvalidHandleV2() is always called with this
lock held, and so regardless of whether 'm_lock' was corrupted with
a zero, it will always be non-zero by the time the instrumentation reads it.
So that we can get a better guess at how many contiguious bytes
from the start of the MarkedBlock are corrupted with zeros, treat the bytes
occupied by m_lock as zeros when scanning for zeros.

In other words, we don't know what value these bytes were corrupted with,
so assume they were corrupted with zero so that the scan for zeros continues.

Also count the total number of zeros in the MarkedBlock (which is
the same as a page on Darwin) to get an overall view into the state
of the page, to account for the fact that there could be other
locations on the page that may have been written after the corruption
occurs.

Improve the use of WTF::setCrashLogMessage(). That function saves
only the last message, so send the same message on each invocation
but with additional known details filled in. Then, include
the source code line number so that the message can be interpreted
properly.

Record the first 8 bytes of the HeapCell rather than just the type.

Remove the code that tries to save values to registers in the middle
of the instrumentation. It doesn't work in practice since a crash
would be more likely to occur after running non-trivial code, which
will likely clobber the registers anyway.

Add some testing code for the various instrumentation paths
(disabled at compile time).

* Source/JavaScriptCore/heap/MarkedBlock.cpp:
(JSC::MarkedBlock::setupTestForDumpInfoAndCrash):
(JSC::MarkedBlock::aboutToMarkSlow):
(JSC::MarkedBlock::dumpInfoAndCrashForInvalidHandleV2):
(JSC::MarkedBlock::dumpInfoAndCrashForInvalidHandle): Deleted.
* Source/JavaScriptCore/heap/MarkedBlock.h:
(JSC::MarkedBlock::setupTestForDumpInfoAndCrash):
* Source/JavaScriptCore/runtime/OptionsList.h:

Canonical link: https://commits.webkit.org/286689@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list