<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[181486] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/181486">181486</a></dd>
<dt>Author</dt> <dd>ggaren@apple.com</dd>
<dt>Date</dt> <dd>2015-03-13 13:14:39 -0700 (Fri, 13 Mar 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Prohibit GC while sweeping
https://bugs.webkit.org/show_bug.cgi?id=142638
Reviewed by Andreas Kling.
I noticed in https://bugs.webkit.org/show_bug.cgi?id=142636 that a GC
could trigger a sweep which could trigger another GC. Yo Dawg.
I tried to figure out whether this could cause problems or not and it
made me cross-eyed.
(Some clients like to report extra memory cost during deallocation as a
way to indicate that the GC now owns something exclusively. It's
arguably a bug to communicate with the GC in this way, but we shouldn't
do crazy when this happens.)
This patch makes explicit the fact that we don't allow GC while sweeping.
Usually, sweeping implicitly defers GC by virtue of happening during
allocation. But not always.
* heap/Heap.cpp:
(JSC::Heap::collectAllGarbage): Defer GC while sweeping due to an
explicit GC request.
(JSC::Heap::didFinishCollection): Make sure that zombifying sweep
defers GC by not returning to the non-GC state until we're all done.
* heap/IncrementalSweeper.cpp:
(JSC::IncrementalSweeper::sweepNextBlock): Defer GC while sweeping due
to a timer.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapHeapcpp">trunk/Source/JavaScriptCore/heap/Heap.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapIncrementalSweepercpp">trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (181485 => 181486)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-03-13 20:04:29 UTC (rev 181485)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-03-13 20:14:39 UTC (rev 181486)
</span><span class="lines">@@ -1,3 +1,37 @@
</span><ins>+2015-03-12 Geoffrey Garen <ggaren@apple.com>
+
+ Prohibit GC while sweeping
+ https://bugs.webkit.org/show_bug.cgi?id=142638
+
+ Reviewed by Andreas Kling.
+
+ I noticed in https://bugs.webkit.org/show_bug.cgi?id=142636 that a GC
+ could trigger a sweep which could trigger another GC. Yo Dawg.
+
+ I tried to figure out whether this could cause problems or not and it
+ made me cross-eyed.
+
+ (Some clients like to report extra memory cost during deallocation as a
+ way to indicate that the GC now owns something exclusively. It's
+ arguably a bug to communicate with the GC in this way, but we shouldn't
+ do crazy when this happens.)
+
+ This patch makes explicit the fact that we don't allow GC while sweeping.
+
+ Usually, sweeping implicitly defers GC by virtue of happening during
+ allocation. But not always.
+
+ * heap/Heap.cpp:
+ (JSC::Heap::collectAllGarbage): Defer GC while sweeping due to an
+ explicit GC request.
+
+ (JSC::Heap::didFinishCollection): Make sure that zombifying sweep
+ defers GC by not returning to the non-GC state until we're all done.
+
+ * heap/IncrementalSweeper.cpp:
+ (JSC::IncrementalSweeper::sweepNextBlock): Defer GC while sweeping due
+ to a timer.
+
</ins><span class="cx"> 2015-03-13 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><span class="cx"> Replace TCSpinLock with a new WTF::SpinLock based on WTF::Atomic.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapHeapcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/Heap.cpp (181485 => 181486)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/Heap.cpp 2015-03-13 20:04:29 UTC (rev 181485)
+++ trunk/Source/JavaScriptCore/heap/Heap.cpp 2015-03-13 20:14:39 UTC (rev 181486)
</span><span class="lines">@@ -988,6 +988,8 @@
</span><span class="cx"> collect(FullCollection);
</span><span class="cx">
</span><span class="cx"> SamplingRegion samplingRegion("Garbage Collection: Sweeping");
</span><ins>+
+ DeferGCForAWhile deferGC(*this);
</ins><span class="cx"> m_objectSpace.sweep();
</span><span class="cx"> m_objectSpace.shrink();
</span><span class="cx"> }
</span><span class="lines">@@ -1293,11 +1295,7 @@
</span><span class="cx">
</span><span class="cx"> if (Options::recordGCPauseTimes())
</span><span class="cx"> HeapStatistics::recordGCPauseTime(gcStartTime, gcEndTime);
</span><del>- RELEASE_ASSERT(m_operationInProgress == EdenCollection || m_operationInProgress == FullCollection);
</del><span class="cx">
</span><del>- m_operationInProgress = NoOperation;
- JAVASCRIPTCORE_GC_END();
-
</del><span class="cx"> if (Options::useZombieMode())
</span><span class="cx"> zombifyDeadObjects();
</span><span class="cx">
</span><span class="lines">@@ -1309,6 +1307,10 @@
</span><span class="cx">
</span><span class="cx"> if (Options::logGC() == GCLogging::Verbose)
</span><span class="cx"> GCLogging::dumpObjectGraph(this);
</span><ins>+
+ RELEASE_ASSERT(m_operationInProgress == EdenCollection || m_operationInProgress == FullCollection);
+ m_operationInProgress = NoOperation;
+ JAVASCRIPTCORE_GC_END();
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void Heap::resumeCompilerThreads()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapIncrementalSweepercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp (181485 => 181486)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp 2015-03-13 20:04:29 UTC (rev 181485)
+++ trunk/Source/JavaScriptCore/heap/IncrementalSweeper.cpp 2015-03-13 20:14:39 UTC (rev 181486)
</span><span class="lines">@@ -95,6 +95,7 @@
</span><span class="cx"> if (!block->needsSweeping())
</span><span class="cx"> continue;
</span><span class="cx">
</span><ins>+ DeferGCForAWhile deferGC(m_vm->heap);
</ins><span class="cx"> block->sweep();
</span><span class="cx"> m_vm->heap.objectSpace().freeOrShrinkBlock(block);
</span><span class="cx"> return;
</span></span></pre>
</div>
</div>
</body>
</html>