<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[189731] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/189731">189731</a></dd>
<dt>Author</dt> <dd>ggaren@apple.com</dd>
<dt>Date</dt> <dd>2015-09-14 09:09:20 -0700 (Mon, 14 Sep 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Eden GC should not try to jettison old CodeBlocks in the remembered set
https://bugs.webkit.org/show_bug.cgi?id=149108
Reviewed by Saam Barati.
All we know about objects in the remembered set is that they must be
visited. We don't know whether they're referenced or not because we
won't mark the objects that point to them.
Therefore, it's incorrect for a CodeBlock to consider jettisoning
itself when it's marked as a part of the remembered set: Some
old object might have visited the CodeBlock strongly if given the chance.
I believe this doesn't cause any problems currently because we happen
to visit all strong references to all CodeBlocks elligible for jettison
during every GC.
However, this behavior is a logical oddity that tripped me up, and I
believe it will start causing real problems once we start to jettison
baseline CodeBlocks, since we do not visit all strong references to all
baseline CodeBlocks during every GC.
* heap/CodeBlockSet.cpp:
(JSC::CodeBlockSet::clearMarksForEdenCollection):
(JSC::CodeBlockSet::traceMarked): Be sure to visit the remembered set
strongly, in order to prohibit jettisoning.
(JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
* heap/CodeBlockSet.h: Track the remembered set during eden GCs.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCodeBlockSetcpp">trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreheapCodeBlockSeth">trunk/Source/JavaScriptCore/heap/CodeBlockSet.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (189730 => 189731)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-09-14 13:59:52 UTC (rev 189730)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-09-14 16:09:20 UTC (rev 189731)
</span><span class="lines">@@ -1,3 +1,35 @@
</span><ins>+2015-09-13 Geoffrey Garen <ggaren@apple.com>
+
+ Eden GC should not try to jettison old CodeBlocks in the remembered set
+ https://bugs.webkit.org/show_bug.cgi?id=149108
+
+ Reviewed by Saam Barati.
+
+ All we know about objects in the remembered set is that they must be
+ visited. We don't know whether they're referenced or not because we
+ won't mark the objects that point to them.
+
+ Therefore, it's incorrect for a CodeBlock to consider jettisoning
+ itself when it's marked as a part of the remembered set: Some
+ old object might have visited the CodeBlock strongly if given the chance.
+
+ I believe this doesn't cause any problems currently because we happen
+ to visit all strong references to all CodeBlocks elligible for jettison
+ during every GC.
+
+ However, this behavior is a logical oddity that tripped me up, and I
+ believe it will start causing real problems once we start to jettison
+ baseline CodeBlocks, since we do not visit all strong references to all
+ baseline CodeBlocks during every GC.
+
+ * heap/CodeBlockSet.cpp:
+ (JSC::CodeBlockSet::clearMarksForEdenCollection):
+ (JSC::CodeBlockSet::traceMarked): Be sure to visit the remembered set
+ strongly, in order to prohibit jettisoning.
+
+ (JSC::CodeBlockSet::rememberCurrentlyExecutingCodeBlocks):
+ * heap/CodeBlockSet.h: Track the remembered set during eden GCs.
+
</ins><span class="cx"> 2015-09-11 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> REGRESSION(r189585): run-perf-tests Speedometer fails with a console error
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCodeBlockSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp (189730 => 189731)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp 2015-09-14 13:59:52 UTC (rev 189730)
+++ trunk/Source/JavaScriptCore/heap/CodeBlockSet.cpp 2015-09-14 16:09:20 UTC (rev 189731)
</span><span class="lines">@@ -80,6 +80,7 @@
</span><span class="cx"> continue;
</span><span class="cx"> executable->forEachCodeBlock([this](CodeBlock* codeBlock) {
</span><span class="cx"> codeBlock->clearMarks();
</span><ins>+ m_remembered.add(codeBlock);
</ins><span class="cx"> });
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="lines">@@ -131,8 +132,18 @@
</span><span class="cx"> {
</span><span class="cx"> if (verbose)
</span><span class="cx"> dataLog("Tracing ", m_currentlyExecuting.size(), " code blocks.\n");
</span><ins>+
+ // We strongly visit the currently executing set because jettisoning code
+ // is not valuable once it's on the stack. We're past the point where
+ // jettisoning would avoid the cost of OSR exit.
</ins><span class="cx"> for (const RefPtr<CodeBlock>& codeBlock : m_currentlyExecuting)
</span><span class="cx"> codeBlock->visitStrongly(visitor);
</span><ins>+
+ // We strongly visit the remembered set because jettisoning old code during
+ // Eden GC is unsound. There might be an old object with a strong reference
+ // to the code.
+ for (const RefPtr<CodeBlock>& codeBlock : m_remembered)
+ codeBlock->visitStrongly(visitor);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void CodeBlockSet::rememberCurrentlyExecutingCodeBlocks(Heap* heap)
</span><span class="lines">@@ -143,10 +154,10 @@
</span><span class="cx"> for (const RefPtr<CodeBlock>& codeBlock : m_currentlyExecuting)
</span><span class="cx"> heap->addToRememberedSet(codeBlock->ownerExecutable());
</span><span class="cx">
</span><del>- // It's safe to clear this RefPtr set because we won't delete the CodeBlocks
- // in it until the next GC, and we'll recompute m_currentlyExecuting at that
- // time.
</del><ins>+ // It's safe to clear these RefPtr sets because we won't delete the CodeBlocks
+ // in them until the next GC, and we'll recompute them at that time.
</ins><span class="cx"> m_currentlyExecuting.clear();
</span><ins>+ m_remembered.clear();
</ins><span class="cx"> #else
</span><span class="cx"> UNUSED_PARAM(heap);
</span><span class="cx"> #endif // ENABLE(GGC)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreheapCodeBlockSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/heap/CodeBlockSet.h (189730 => 189731)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/heap/CodeBlockSet.h 2015-09-14 13:59:52 UTC (rev 189730)
+++ trunk/Source/JavaScriptCore/heap/CodeBlockSet.h 2015-09-14 16:09:20 UTC (rev 189731)
</span><span class="lines">@@ -110,6 +110,7 @@
</span><span class="cx"> HashSet<CodeBlock*> m_oldCodeBlocks;
</span><span class="cx"> HashSet<CodeBlock*> m_newCodeBlocks;
</span><span class="cx"> HashSet<RefPtr<CodeBlock>> m_currentlyExecuting;
</span><ins>+ HashSet<RefPtr<CodeBlock>> m_remembered;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre>
</div>
</div>
</body>
</html>