[webkit-changes] [WebKit/WebKit] 5ae437: [JSC] Don't search the FreeList when firing a watc...

Dan Hecht noreply at github.com
Tue Sep 17 09:05:00 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 5ae437da2c04cd1be9827bf9a8a8863ef01c656a
      https://github.com/WebKit/WebKit/commit/5ae437da2c04cd1be9827bf9a8a8863ef01c656a
  Author: Dan Hecht <dan.hecht at apple.com>
  Date:   2024-09-17 (Tue, 17 Sep 2024)

  Changed paths:
    M Source/JavaScriptCore/bytecode/ChainedWatchpoint.h
    M Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.cpp
    M Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
    M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp
    M Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp
    M Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp
    M Source/JavaScriptCore/heap/BlockDirectory.cpp
    M Source/JavaScriptCore/heap/BlockDirectory.h
    M Source/JavaScriptCore/heap/FreeList.cpp
    M Source/JavaScriptCore/heap/FreeList.h
    M Source/JavaScriptCore/heap/HeapCell.cpp
    M Source/JavaScriptCore/heap/HeapCell.h
    M Source/JavaScriptCore/heap/LocalAllocator.cpp
    M Source/JavaScriptCore/heap/LocalAllocator.h
    M Source/JavaScriptCore/heap/MarkedBlock.cpp
    M Source/JavaScriptCore/heap/MarkedBlock.h
    M Source/JavaScriptCore/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp
    M Source/JavaScriptCore/runtime/ObjectAdaptiveStructureWatchpoint.h
    M Source/JavaScriptCore/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h
    M Source/JavaScriptCore/runtime/StructureRareData.cpp
    M Source/JavaScriptCore/runtime/StructureRareDataInlines.h

  Log Message:
  -----------
  [JSC] Don't search the FreeList when firing a watchpoint
https://bugs.webkit.org/show_bug.cgi?id=181655
rdar://135961786

Reviewed by Yusuke Suzuki and Keith Miller.

Conceptually, a heap cell can be in one of three states:
(1) Live
(2) Pending destruction/sweeping
(3) Free

For MarkedBlocks that are freelisted, distinguishing between
states (1) & (3) require searching the FreeList.

The watchpoint code was previously asking whether the watchpoint's
owner was (1) Live in order to know whether the watchdpoint should
still fire, and so the freelist was searched to filter out state (3).

Instead, we can ask the question: is the cell in state (2)? This
question can be answered without searching the FreeList since a
FreeListed block never contains cells of state (2). And this is
sufficient for determining whether the watchdpoint should fire.

This also makes the intent of the watchdpoint code clearer since
it is asking a more specific question.

Regardless of which question was asked, it has to be the responsibility
of the caller (i.e. watchdpoint/owner code) to manage the lifetime of
these objects properly, so we don't lose anything by reframing the
question. i.e. a caller (outside of the heap code) cannot be allowed to
pass in a cell in state (2) because it can't know whether the block
backing that cell has already been freed. The old isLive() check was
misleading in this regard.

* Source/JavaScriptCore/bytecode/ChainedWatchpoint.h:
(JSC::ChainedWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.cpp:
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubInfoClearingWatchpoint::fireInternal):
* Source/JavaScriptCore/dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
(JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::isValid const):
* Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp:
(JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
* Source/JavaScriptCore/heap/BlockDirectory.cpp:
(JSC::BlockDirectory::isFreeListedCell): Deleted.
* Source/JavaScriptCore/heap/BlockDirectory.h:
* Source/JavaScriptCore/heap/FreeList.cpp:
(JSC::FreeList::contains const): Deleted.
* Source/JavaScriptCore/heap/FreeList.h:
* Source/JavaScriptCore/heap/HeapCell.cpp:
(JSC::HeapCell::isPendingDestruction):
(JSC::HeapCell::isLive): Deleted.
* Source/JavaScriptCore/heap/HeapCell.h:
* Source/JavaScriptCore/heap/LocalAllocator.cpp:
(JSC::LocalAllocator::isFreeListedCell const): Deleted.
* Source/JavaScriptCore/heap/LocalAllocator.h:
* Source/JavaScriptCore/heap/MarkedBlock.cpp:
(JSC::MarkedBlock::Handle::isFreeListedCell const): Deleted.
* Source/JavaScriptCore/heap/MarkedBlock.h:
* Source/JavaScriptCore/runtime/CachedSpecialPropertyAdaptiveStructureWatchpoint.cpp:
(JSC::CachedSpecialPropertyAdaptiveStructureWatchpoint::fireInternal):
* Source/JavaScriptCore/runtime/ObjectAdaptiveStructureWatchpoint.h:
(JSC::ObjectAdaptiveStructureWatchpoint::fireInternal):
* Source/JavaScriptCore/runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
* Source/JavaScriptCore/runtime/StructureRareData.cpp:
(JSC::CachedSpecialPropertyAdaptiveInferredPropertyValueWatchpoint::isValid const):
* Source/JavaScriptCore/runtime/StructureRareDataInlines.h:
(JSC::StructureChainInvalidationWatchpoint::fireInternal):

Canonical link: https://commits.webkit.org/283772@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list