[webkit-changes] [102179] trunk/Source/JavaScriptCore

[fpizlo]

Title: [102179] trunk/Source/_javascript_Core

Revision

102179

Author

fpi...@apple.com

Date

2011-12-06 14:12:56 -0800 (Tue, 06 Dec 2011)

Log Message

GC zapping logic could benefit from some more assertions
https://bugs.webkit.org/show_bug.cgi?id=73947

Reviewed by Gavin Barraclough.
        
- If you're in a zapped block and you're zapped, then your mark bit should
  never be set.
          
- If you're being marked, then you should never be zapped.

* heap/MarkedBlock.h:
(JSC::MarkedBlock::isLive):
* runtime/Structure.h:
(JSC::MarkStack::internalAppend):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/heap/MarkedBlock.h
• trunk/Source/_javascript_Core/runtime/Structure.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (102178 => 102179)

--- trunk/Source/_javascript_Core/ChangeLog	2011-12-06 22:07:00 UTC (rev 102178)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-12-06 22:12:56 UTC (rev 102179)
@@ -1,3 +1,20 @@
+2011-12-06  Filip Pizlo  <fpi...@apple.com>
+
+        GC zapping logic could benefit from some more assertions
+        https://bugs.webkit.org/show_bug.cgi?id=73947
+
+        Reviewed by Gavin Barraclough.
+        
+        - If you're in a zapped block and you're zapped, then your mark bit should
+          never be set.
+          
+        - If you're being marked, then you should never be zapped.
+
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::isLive):
+        * runtime/Structure.h:
+        (JSC::MarkStack::internalAppend):
+
 2011-12-06  Oliver Hunt  <oli...@apple.com>
 
         Don't allocate register in typedarray control flow

Modified: trunk/Source/_javascript_Core/heap/MarkedBlock.h (102178 => 102179)

--- trunk/Source/_javascript_Core/heap/MarkedBlock.h	2011-12-06 22:07:00 UTC (rev 102178)
+++ trunk/Source/_javascript_Core/heap/MarkedBlock.h	2011-12-06 22:12:56 UTC (rev 102179)
@@ -282,7 +282,15 @@
         case Allocated:
             return true;
         case Zapped:
-            return !isZapped(cell);
+            if (isZapped(cell)) {
+                // Object dead in previous collection, not allocated since previous collection: mark bit should not be set.
+                ASSERT(!m_marks.get(atomNumber(cell)));
+                return false;
+            }
+            
+            // Newly allocated objects: mark bit not set.
+            // Objects that survived prior collection: mark bit set.
+            return true;
         case Marked:
             return m_marks.get(atomNumber(cell));
 

Modified: trunk/Source/_javascript_Core/runtime/Structure.h (102178 => 102179)

--- trunk/Source/_javascript_Core/runtime/Structure.h	2011-12-06 22:07:00 UTC (rev 102178)
+++ trunk/Source/_javascript_Core/runtime/Structure.h	2011-12-06 22:12:56 UTC (rev 102179)
@@ -356,6 +356,10 @@
         m_visitCount++;
         if (Heap::testAndSetMarked(cell) || !cell->structure())
             return;
+        
+        // Should never attempt to mark something that is zapped.
+        ASSERT(!cell->isZapped());
+        
         m_stack.append(cell);
     }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes