[Webkit-unassigned] [Bug 209929] New: HeapSnapshotBuilder::analyzeNode() should filter out duplicate cells.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Apr 2 14:18:18 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=209929

            Bug ID: 209929
           Summary: HeapSnapshotBuilder::analyzeNode() should filter out
                    duplicate cells.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

HeapSnapshot::finalize() assumes that its vector of cells are unique and have no duplicates.  HeapSnapshot::appendNode() expects to only be called once for a cell, and hence, will not be adding a duplicate cell.  It doesn't check for duplicates.

However, with the concurrent GC marker, there’s a racy chance that the same cell is visited more than once by SlotVisitor, and therefore calls HeapSnapshotBuilder::analyzeNode() (and HeapSnapshot::appendNode()) more than once for the same cell.

The easiest and cleanest fix for this is to simply keep a HashSet of appended cells in HeapSnapshotBuilder while it is building the snapshot.  We can then use the hash set to filter out already appended cells, and avoid adding duplicates to the HeapSnapshot.

<rdar://problem/60974478>

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200402/5f236950/attachment.htm>

More information about the webkit-unassigned mailing list