[webkit-reviews] review requested: [Bug 12216] Stack overflow crash in JavaScript garbage collector mark pass : [Attachment 17553] [6/6] JavaScriptCore:

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Nov 27 01:22:02 PST 2007 

Maciej Stachowiak <mjs at apple.com> has asked  for review:
Bug 12216: Stack overflow crash in JavaScript garbage collector mark pass
http://bugs.webkit.org/show_bug.cgi?id=12216

Attachment 17553: [6/6] JavaScriptCore:
http://bugs.webkit.org/attachment.cgi?id=17553&action=edit

------- Additional Comments from Maciej Stachowiak <mjs at apple.com>

	Not reviewed.

	Use a fixed-size mark stack so that we don't trigger huge
	allocations when garbage collecting. In the unlikely case of
	overflowing the mark stack, use a slow fallback path where we
	crawl the whole heap, looking for objects with the mark bit set
	and pushing their children.

	This is an 0.2% SunSpider speedup (but in retrospect I'm not sure
	the last patch was a speedup).

	* kjs/JSLock.cpp:
	(KJS::JSLock::registerThread):
	* kjs/MarkStack.h:
	(KJS::MarkStack::append):
	(KJS::MarkStack::push):
	(KJS::MarkStack::pushOneItemAndAdvance):
	(KJS::MarkStack::advanceUntil126ItemsPushed):
	(KJS::MarkStack::pushRange):
	(KJS::MarkStack::pop):
	(KJS::MarkStack::reset):
	(KJS::MarkStack::size):
	(KJS::MarkStack::overflowed):
	* kjs/collector.cpp:
	(KJS::):
	(KJS::initializeRegisteredThreadKey):
	(KJS::Collector::registerThread):
	(KJS::slowFallbackMarkIfNeeded):
	(KJS::Collector::collect):

LayoutTests:

	Not reviewed.

	- Test case that hits the worst case of range stack marking, to ensure
that the slow
	fallback path has coverage.

	* fast/js/gc-pathological-expected.txt: Added.
	* fast/js/gc-pathological.html: Added.
	* fast/js/resources/gc-pathological.js: Added.
---
 JavaScriptCore/ChangeLog			  |   31 +++++++++++
 JavaScriptCore/kjs/JSLock.cpp			  |   14 ++---
 JavaScriptCore/kjs/MarkStack.h 		  |   46 +++++++++++-----
 JavaScriptCore/kjs/collector.cpp		  |   64 +++++++++++++++++++---
 LayoutTests/ChangeLog				  |   11 ++++
 LayoutTests/fast/js/gc-pathological-expected.txt |    9 +++
 LayoutTests/fast/js/gc-pathological.html	  |   13 +++++
 LayoutTests/fast/js/resources/gc-pathological.js |   25 +++++++++
 8 files changed, 182 insertions(+), 31 deletions(-)

More information about the webkit-reviews mailing list