<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[242425] releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/242425">242425</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2019-03-05 00:43:55 -0800 (Tue, 05 Mar 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/241849">r241849</a> - Add code to validate expected GC activity modelled by doesGC() against what the runtime encounters.
https://bugs.webkit.org/show_bug.cgi?id=193938
<rdar://problem/47616277>

Reviewed by Michael Saboff, Saam Barati, and Robin Morisset.

In DFG::SpeculativeJIT::compile() and FTL::LowerDFGToB3::compileNode(), before
emitting code / B3IR for each DFG node, we emit a write to set Heap::m_expectDoesGC
to the value returned by doesGC() for that node.  In the runtime (i.e. in allocateCell()
and functions that can resolve a rope), we assert that Heap::m_expectDoesGC is
true.

This validation code is currently only enabled for debug builds.  It is disabled
for release builds by default, but it can easily be made to run on release builds
as well by forcing ENABLE_DFG_DOES_GC_VALIDATION to 1 in Heap.h.

To allow this validation code to run on release builds as well, the validation uses
RELEASE_ASSERT instead of ASSERT.

To ensure that Heap.h is #include'd for all files that needs to do this validation
(so that the validation code is accidentally disabled), we guard the validation
code with an if conditional on constexpr bool validateDFGDoesGC (instead of using
a #if ENABLE(DFG_DOES_GC_VALIDATION)).  This way, if Heap.h isn't #include'd, the
validation code will fail to build (no silent failures).

Currently, all JSC tests and Layout tests should pass with this validation enabled
in debug builds.  We'll only see new failures if there's a regression or if new
tests reveal a previously untested code path that has an undetected issue.

* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
(JSC::DFG::OSRExit::compileExit):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub):
* heap/Heap.h:
(JSC::Heap::expectDoesGC const):
(JSC::Heap::setExpectDoesGC):
(JSC::Heap::addressOfExpectDoesGC):
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_compareAndJump):
* runtime/JSCellInlines.h:
(JSC::tryAllocateCellHelper):
* runtime/JSString.h:
(JSC::jsSingleCharacterString):
(JSC::JSString::toAtomicString const):
(JSC::JSString::toExistingAtomicString const):
(JSC::JSString::value const):
(JSC::JSString::tryGetValue const):
(JSC::JSRopeString::unsafeView const):
(JSC::JSRopeString::viewWithUnderlyingString const):
(JSC::JSString::unsafeView const):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoredfgDFGOSRExitcpp">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGOSRExit.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoreftlFTLLowerDFGToB3cpp">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoreftlFTLOSRExitCompilercpp">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoreheapHeaph">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/heap/Heap.h</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCorejitJITArithmeticcpp">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/jit/JITArithmetic.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoreruntimeJSCellInlinesh">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSCellInlines.h</a></li>
<li><a href="#releasesWebKitGTKwebkit224SourceJavaScriptCoreruntimeJSStringh">releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSString.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ChangeLog (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ChangeLog   2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ChangeLog      2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,3 +1,61 @@
</span><ins>+2019-02-20  Mark Lam  <mark.lam@apple.com>
+
+        Add code to validate expected GC activity modelled by doesGC() against what the runtime encounters.
+        https://bugs.webkit.org/show_bug.cgi?id=193938
+        <rdar://problem/47616277>
+
+        Reviewed by Michael Saboff, Saam Barati, and Robin Morisset.
+
+        In DFG::SpeculativeJIT::compile() and FTL::LowerDFGToB3::compileNode(), before
+        emitting code / B3IR for each DFG node, we emit a write to set Heap::m_expectDoesGC
+        to the value returned by doesGC() for that node.  In the runtime (i.e. in allocateCell()
+        and functions that can resolve a rope), we assert that Heap::m_expectDoesGC is
+        true.
+
+        This validation code is currently only enabled for debug builds.  It is disabled
+        for release builds by default, but it can easily be made to run on release builds
+        as well by forcing ENABLE_DFG_DOES_GC_VALIDATION to 1 in Heap.h.
+
+        To allow this validation code to run on release builds as well, the validation uses
+        RELEASE_ASSERT instead of ASSERT.
+
+        To ensure that Heap.h is #include'd for all files that needs to do this validation
+        (so that the validation code is accidentally disabled), we guard the validation
+        code with an if conditional on constexpr bool validateDFGDoesGC (instead of using
+        a #if ENABLE(DFG_DOES_GC_VALIDATION)).  This way, if Heap.h isn't #include'd, the
+        validation code will fail to build (no silent failures).
+
+        Currently, all JSC tests and Layout tests should pass with this validation enabled
+        in debug builds.  We'll only see new failures if there's a regression or if new
+        tests reveal a previously untested code path that has an undetected issue.
+
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        (JSC::DFG::OSRExit::compileExit):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+        * ftl/FTLOSRExitCompiler.cpp:
+        (JSC::FTL::compileStub):
+        * heap/Heap.h:
+        (JSC::Heap::expectDoesGC const):
+        (JSC::Heap::setExpectDoesGC):
+        (JSC::Heap::addressOfExpectDoesGC):
+        * jit/JITArithmetic.cpp:
+        (JSC::JIT::emit_compareAndJump):
+        * runtime/JSCellInlines.h:
+        (JSC::tryAllocateCellHelper):
+        * runtime/JSString.h:
+        (JSC::jsSingleCharacterString):
+        (JSC::JSString::toAtomicString const):
+        (JSC::JSString::toExistingAtomicString const):
+        (JSC::JSString::value const):
+        (JSC::JSString::tryGetValue const):
+        (JSC::JSRopeString::unsafeView const):
+        (JSC::JSRopeString::viewWithUnderlyingString const):
+        (JSC::JSString::unsafeView const):
+
</ins><span class="cx"> 2019-02-18  Mark Lam  <mark.lam@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoredfgDFGOSRExitcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGOSRExit.cpp (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGOSRExit.cpp  2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGOSRExit.cpp     2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -338,6 +338,12 @@
</span><span class="cx">     ASSERT(&exec->vm() == &vm);
</span><span class="cx">     auto& cpu = context.cpu;
</span><span class="cx"> 
</span><ins>+    if (validateDFGDoesGC) {
+        // We're about to exit optimized code. So, there's no longer any optimized
+        // code running that expects no GC.
+        vm.heap.setExpectDoesGC(true);
+    }
+
</ins><span class="cx">     if (vm.callFrameForCatch) {
</span><span class="cx">         exec = vm.callFrameForCatch;
</span><span class="cx">         context.fp() = exec;
</span><span class="lines">@@ -1389,6 +1395,13 @@
</span><span class="cx">         }
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    if (validateDFGDoesGC) {
+        // We're about to exit optimized code. So, there's no longer any optimized
+        // code running that expects no GC. We need to set this before arguments
+        // materialization below (see emitRestoreArguments()).
+        jit.store8(CCallHelpers::TrustedImm32(true), vm.heap.addressOfExpectDoesGC());
+    }
+
</ins><span class="cx">     // Need to ensure that the stack pointer accounts for the worst-case stack usage at exit. This
</span><span class="cx">     // could toast some stack that the DFG used. We need to do it before storing to stack offsets
</span><span class="cx">     // used by baseline.
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp    2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "CallFrameShuffler.h"
</span><span class="cx"> #include "DFGAbstractInterpreterInlines.h"
</span><span class="cx"> #include "DFGCallArrayAllocatorSlowPathGenerator.h"
</span><ins>+#include "DFGDoesGC.h"
</ins><span class="cx"> #include "DFGOperations.h"
</span><span class="cx"> #include "DFGSlowPathGenerator.h"
</span><span class="cx"> #include "DirectArguments.h"
</span><span class="lines">@@ -1899,7 +1900,12 @@
</span><span class="cx"> void SpeculativeJIT::compile(Node* node)
</span><span class="cx"> {
</span><span class="cx">     NodeType op = node->op();
</span><del>-    
</del><ins>+
+    if (validateDFGDoesGC) {
+        bool expectDoesGC = doesGC(m_jit.graph(), node);
+        m_jit.store8(TrustedImm32(expectDoesGC), m_jit.vm()->heap.addressOfExpectDoesGC());
+    }
+
</ins><span class="cx"> #if ENABLE(DFG_REGISTER_ALLOCATION_VALIDATION)
</span><span class="cx">     m_jit.clearRegisterAllocationOffsets();
</span><span class="cx"> #endif
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp     2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp        2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -43,6 +43,7 @@
</span><span class="cx"> #include "CodeBlockWithJITType.h"
</span><span class="cx"> #include "DFGAbstractInterpreterInlines.h"
</span><span class="cx"> #include "DFGCapabilities.h"
</span><ins>+#include "DFGDoesGC.h"
</ins><span class="cx"> #include "DFGDominators.h"
</span><span class="cx"> #include "DFGInPlaceAbstractState.h"
</span><span class="cx"> #include "DFGMayExit.h"
</span><span class="lines">@@ -525,7 +526,12 @@
</span><span class="cx">         
</span><span class="cx">         m_interpreter.startExecuting();
</span><span class="cx">         m_interpreter.executeKnownEdgeTypes(m_node);
</span><del>-        
</del><ins>+
+        if (validateDFGDoesGC) {
+            bool expectDoesGC = doesGC(m_graph, m_node);
+            m_out.store(m_out.constBool(expectDoesGC), m_out.absolute(vm().heap.addressOfExpectDoesGC()));
+        }
+
</ins><span class="cx">         switch (m_node->op()) {
</span><span class="cx">         case DFG::Upsilon:
</span><span class="cx">             compileUpsilon();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoreftlFTLOSRExitCompilercpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp  2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp     2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -244,6 +244,13 @@
</span><span class="cx"> 
</span><span class="cx">     saveAllRegisters(jit, registerScratch);
</span><span class="cx">     
</span><ins>+    if (validateDFGDoesGC) {
+        // We're about to exit optimized code. So, there's no longer any optimized
+        // code running that expects no GC. We need to set this before object
+        // materialization below.
+        jit.store8(CCallHelpers::TrustedImm32(true), vm->heap.addressOfExpectDoesGC());
+    }
+
</ins><span class="cx">     // Bring the stack back into a sane form and assert that it's sane.
</span><span class="cx">     jit.popToRestore(GPRInfo::regT0);
</span><span class="cx">     jit.checkStackPointerAlignment();
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoreheapHeaph"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/heap/Heap.h (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/heap/Heap.h 2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/heap/Heap.h    2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx">  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
</span><span class="cx">  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
</del><ins>+ *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  *  This library is free software; you can redistribute it and/or
</span><span class="cx">  *  modify it under the terms of the GNU Lesser General Public
</span><span class="lines">@@ -95,6 +95,13 @@
</span><span class="cx"> class Worklist;
</span><span class="cx"> }
</span><span class="cx"> 
</span><ins>+#if !ASSERT_DISABLED
+#define ENABLE_DFG_DOES_GC_VALIDATION 1
+#else
+#define ENABLE_DFG_DOES_GC_VALIDATION 0
+#endif
+constexpr bool validateDFGDoesGC = ENABLE_DFG_DOES_GC_VALIDATION;
+
</ins><span class="cx"> typedef HashCountedSet<JSCell*> ProtectCountSet;
</span><span class="cx"> typedef HashCountedSet<const char*> TypeCountSet;
</span><span class="cx"> 
</span><span class="lines">@@ -294,6 +301,16 @@
</span><span class="cx">     unsigned barrierThreshold() const { return m_barrierThreshold; }
</span><span class="cx">     const unsigned* addressOfBarrierThreshold() const { return &m_barrierThreshold; }
</span><span class="cx"> 
</span><ins>+#if ENABLE(DFG_DOES_GC_VALIDATION)
+    bool expectDoesGC() const { return m_expectDoesGC; }
+    void setExpectDoesGC(bool value) { m_expectDoesGC = value; }
+    bool* addressOfExpectDoesGC() { return &m_expectDoesGC; }
+#else
+    bool expectDoesGC() const { UNREACHABLE_FOR_PLATFORM(); return true; }
+    void setExpectDoesGC(bool) { UNREACHABLE_FOR_PLATFORM(); }
+    bool* addressOfExpectDoesGC() { UNREACHABLE_FOR_PLATFORM(); return nullptr; }
+#endif
+
</ins><span class="cx">     // If true, the GC believes that the mutator is currently messing with the heap. We call this
</span><span class="cx">     // "having heap access". The GC may block if the mutator is in this state. If false, the GC may
</span><span class="cx">     // currently be doing things to the heap that make the heap unsafe to access for the mutator.
</span><span class="lines">@@ -581,6 +598,9 @@
</span><span class="cx">     Markable<CollectionScope, EnumMarkableTraits<CollectionScope>> m_collectionScope;
</span><span class="cx">     Markable<CollectionScope, EnumMarkableTraits<CollectionScope>> m_lastCollectionScope;
</span><span class="cx">     Lock m_raceMarkStackLock;
</span><ins>+#if ENABLE(DFG_DOES_GC_VALIDATION)
+    bool m_expectDoesGC { true };
+#endif
</ins><span class="cx"> 
</span><span class="cx">     StructureIDTable m_structureIDTable;
</span><span class="cx">     MarkedSpace m_objectSpace;
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCorejitJITArithmeticcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/jit/JITArithmetic.cpp (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/jit/JITArithmetic.cpp       2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/jit/JITArithmetic.cpp  2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -179,6 +179,7 @@
</span><span class="cx">     int op1 = bytecode.m_lhs.offset();
</span><span class="cx">     int op2 = bytecode.m_rhs.offset();
</span><span class="cx">     unsigned target = jumpTarget(instruction, bytecode.m_targetLabel);
</span><ins>+    bool disallowAllocation = false;
</ins><span class="cx">     if (isOperandConstantChar(op1)) {
</span><span class="cx">         emitGetVirtualRegister(op2, regT0);
</span><span class="cx">         addSlowCase(branchIfNotCell(regT0));
</span><span class="lines">@@ -185,7 +186,7 @@
</span><span class="cx">         JumpList failures;
</span><span class="cx">         emitLoadCharacterString(regT0, regT0, failures);
</span><span class="cx">         addSlowCase(failures);
</span><del>-        addJump(branch32(commute(condition), regT0, Imm32(asString(getConstantOperand(op1))->tryGetValue()[0])), target);
</del><ins>+        addJump(branch32(commute(condition), regT0, Imm32(asString(getConstantOperand(op1))->tryGetValue(disallowAllocation)[0])), target);
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     if (isOperandConstantChar(op2)) {
</span><span class="lines">@@ -194,7 +195,7 @@
</span><span class="cx">         JumpList failures;
</span><span class="cx">         emitLoadCharacterString(regT0, regT0, failures);
</span><span class="cx">         addSlowCase(failures);
</span><del>-        addJump(branch32(condition, regT0, Imm32(asString(getConstantOperand(op2))->tryGetValue()[0])), target);
</del><ins>+        addJump(branch32(condition, regT0, Imm32(asString(getConstantOperand(op2))->tryGetValue(disallowAllocation)[0])), target);
</ins><span class="cx">         return;
</span><span class="cx">     }
</span><span class="cx">     if (isOperandConstantInt(op2)) {
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoreruntimeJSCellInlinesh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSCellInlines.h (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSCellInlines.h     2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSCellInlines.h        2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  * Redistribution and use in source and binary forms, with or without
</span><span class="cx">  * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -166,6 +166,9 @@
</span><span class="cx"> ALWAYS_INLINE void* tryAllocateCellHelper(Heap& heap, size_t size, GCDeferralContext* deferralContext, AllocationFailureMode failureMode)
</span><span class="cx"> {
</span><span class="cx">     VM& vm = *heap.vm();
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(heap.expectDoesGC());
+
</ins><span class="cx">     ASSERT(deferralContext || !DisallowGC::isInEffectOnCurrentThread());
</span><span class="cx">     ASSERT(size >= sizeof(T));
</span><span class="cx">     JSCell* result = static_cast<JSCell*>(subspaceFor<T>(vm)->allocateNonVirtual(vm, size, deferralContext, failureMode));
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit224SourceJavaScriptCoreruntimeJSStringh"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSString.h (242424 => 242425)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSString.h  2019-03-05 08:43:49 UTC (rev 242424)
+++ releases/WebKitGTK/webkit-2.24/Source/JavaScriptCore/runtime/JSString.h     2019-03-05 08:43:55 UTC (rev 242425)
</span><span class="lines">@@ -1,7 +1,7 @@
</span><span class="cx"> /*
</span><span class="cx">  *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
</span><span class="cx">  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
</span><del>- *  Copyright (C) 2003-2018 Apple Inc. All rights reserved.
</del><ins>+ *  Copyright (C) 2003-2019 Apple Inc. All rights reserved.
</ins><span class="cx">  *
</span><span class="cx">  *  This library is free software; you can redistribute it and/or
</span><span class="cx">  *  modify it under the terms of the GNU Library General Public
</span><span class="lines">@@ -163,7 +163,7 @@
</span><span class="cx"> 
</span><span class="cx">     inline bool equal(ExecState*, JSString* other) const;
</span><span class="cx">     const String& value(ExecState*) const;
</span><del>-    inline const String& tryGetValue() const;
</del><ins>+    inline const String& tryGetValue(bool allocationAllowed = true) const;
</ins><span class="cx">     const StringImpl* tryGetValueImpl() const;
</span><span class="cx">     ALWAYS_INLINE unsigned length() const { return m_length; }
</span><span class="cx"> 
</span><span class="lines">@@ -515,6 +515,8 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE JSString* jsSingleCharacterString(VM* vm, UChar c)
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm->heap.expectDoesGC());
</ins><span class="cx">     if (c <= maxSingleCharacterString)
</span><span class="cx">         return vm->smallStrings.singleCharacterString(c);
</span><span class="cx">     return JSString::create(*vm, StringImpl::create(&c, 1));
</span><span class="lines">@@ -539,6 +541,8 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE AtomicString JSString::toAtomicString(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm()->heap.expectDoesGC());
</ins><span class="cx">     if (isRope())
</span><span class="cx">         static_cast<const JSRopeString*>(this)->resolveRopeToAtomicString(exec);
</span><span class="cx">     return AtomicString(m_value);
</span><span class="lines">@@ -546,6 +550,8 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE RefPtr<AtomicStringImpl> JSString::toExistingAtomicString(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm()->heap.expectDoesGC());
</ins><span class="cx">     if (isRope())
</span><span class="cx">         return static_cast<const JSRopeString*>(this)->resolveRopeToExistingAtomicString(exec);
</span><span class="cx">     if (m_value.impl()->isAtomic())
</span><span class="lines">@@ -555,17 +561,24 @@
</span><span class="cx"> 
</span><span class="cx"> inline const String& JSString::value(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm()->heap.expectDoesGC());
</ins><span class="cx">     if (isRope())
</span><span class="cx">         static_cast<const JSRopeString*>(this)->resolveRope(exec);
</span><span class="cx">     return m_value;
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-inline const String& JSString::tryGetValue() const
</del><ins>+inline const String& JSString::tryGetValue(bool allocationAllowed) const
</ins><span class="cx"> {
</span><del>-    if (isRope()) {
-        // Pass nullptr for the ExecState so that resolveRope does not throw in the event of an OOM error.
-        static_cast<const JSRopeString*>(this)->resolveRope(nullptr);
-    }
</del><ins>+    if (allocationAllowed) {
+        if (validateDFGDoesGC)
+            RELEASE_ASSERT(vm()->heap.expectDoesGC());
+        if (isRope()) {
+            // Pass nullptr for the ExecState so that resolveRope does not throw in the event of an OOM error.
+            static_cast<const JSRopeString*>(this)->resolveRope(nullptr);
+        }
+    } else
+        RELEASE_ASSERT(!isRope());
</ins><span class="cx">     return m_value;
</span><span class="cx"> }
</span><span class="cx"> 
</span><span class="lines">@@ -739,6 +752,8 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE StringView JSRopeString::unsafeView(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm()->heap.expectDoesGC());
</ins><span class="cx">     if (isSubstring()) {
</span><span class="cx">         if (is8Bit())
</span><span class="cx">             return StringView(substringBase()->m_value.characters8() + substringOffset(), length());
</span><span class="lines">@@ -750,6 +765,8 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE StringViewWithUnderlyingString JSRopeString::viewWithUnderlyingString(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm()->heap.expectDoesGC());
</ins><span class="cx">     if (isSubstring()) {
</span><span class="cx">         auto& base = substringBase()->m_value;
</span><span class="cx">         if (is8Bit())
</span><span class="lines">@@ -762,6 +779,8 @@
</span><span class="cx"> 
</span><span class="cx"> ALWAYS_INLINE StringView JSString::unsafeView(ExecState* exec) const
</span><span class="cx"> {
</span><ins>+    if (validateDFGDoesGC)
+        RELEASE_ASSERT(vm()->heap.expectDoesGC());
</ins><span class="cx">     if (isRope())
</span><span class="cx">         return static_cast<const JSRopeString*>(this)->unsafeView(exec);
</span><span class="cx">     return m_value;
</span></span></pre>
</div>
</div>

</body>
</html>