[webkit-reviews] review requested: [Bug 12216] Stack overflow crash
in JavaScript garbage collector mark pass : [Attachment
17547] [4/4] JavaScriptCore:
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Nov 27 00:50:16 PST 2007
Maciej Stachowiak <mjs at apple.com> has asked for review:
Bug 12216: Stack overflow crash in JavaScript garbage collector mark pass
http://bugs.webkit.org/show_bug.cgi?id=12216
Attachment 17547: [4/4] JavaScriptCore:
http://bugs.webkit.org/attachment.cgi?id=17547&action=edit
------- Additional Comments from Maciej Stachowiak <mjs at apple.com>
Not reviewed.
Use a fixed-size mark stack so that we don't trigger huge
allocations when garbage collecting. In the unlikely case of
overflowing the mark stack, use a slow fallback path where we
crawl the whole heap, looking for objects with the mark bit set
and pushing their children.
This is an 0.2% SunSpider speedup (but in retrospect I'm not sure
the last patch was a speedup).
* kjs/JSLock.cpp:
(KJS::JSLock::registerThread):
* kjs/MarkStack.h:
(KJS::MarkStack::append):
(KJS::MarkStack::push):
(KJS::MarkStack::pushOneItemAndAdvance):
(KJS::MarkStack::advanceUntil126ItemsPushed):
(KJS::MarkStack::pushRange):
(KJS::MarkStack::pop):
(KJS::MarkStack::reset):
(KJS::MarkStack::size):
(KJS::MarkStack::overflowed):
* kjs/collector.cpp:
(KJS::):
(KJS::initializeRegisteredThreadKey):
(KJS::Collector::registerThread):
(KJS::slowFallbackMarkIfNeeded):
(KJS::Collector::collect):
LayoutTests:
Not reviewed.
- Test case that hits the worst case of range stack marking, to ensure
that the slow
fallback path has coverage.
* fast/js/gc-pathological-expected.txt: Added.
* fast/js/gc-pathological.html: Added.
* fast/js/resources/gc-pathological.js: Added.
---
JavaScriptCore/ChangeLog | 32 +++++++++++
JavaScriptCore/kjs/JSLock.cpp | 14 ++---
JavaScriptCore/kjs/MarkStack.h | 46 +++++++++++-----
JavaScriptCore/kjs/collector.cpp | 64 +++++++++++++++++++---
LayoutTests/ChangeLog | 11 ++++
LayoutTests/fast/js/gc-pathological-expected.txt | 9 +++
LayoutTests/fast/js/gc-pathological.html | 13 +++++
LayoutTests/fast/js/resources/gc-pathological.js | 25 +++++++++
8 files changed, 183 insertions(+), 31 deletions(-)
More information about the webkit-reviews
mailing list