From 23bde0cf8565bb36b9df638de874ad04607e84d3 Mon Sep 17 00:00:00 2001 From: Filip Pizlo Date: Thu, 4 Apr 2013 12:19:52 +0200 Subject: If array allocation profiling causes a new_array to allocate double arrays, then the holes should end up being correctly initialized https://bugs.webkit.org/show_bug.cgi?id=106363 Reviewed by Mark Hahnenberg. Source/JavaScriptCore: * runtime/JSArray.h: (JSC::JSArray::tryCreateUninitialized): LayoutTests: * fast/js/jsc-test-list: * fast/js/new-array-double-with-holes-expected.txt: Added. * fast/js/new-array-double-with-holes.html: Added. * fast/js/script-tests/new-array-double-with-holes.js: Added. (foo): Change-Id: Iad48b7dd0e71bcbe8557fd6f19487fcd9eeed585 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139094 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/JSArray.h | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'Source/JavaScriptCore/runtime') diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h index ea1ed9047..cef3b53ad 100644 --- a/Source/JavaScriptCore/runtime/JSArray.h +++ b/Source/JavaScriptCore/runtime/JSArray.h @@ -245,6 +245,10 @@ inline JSArray* JSArray::tryCreateUninitialized(JSGlobalData& globalData, Struct butterfly = Butterfly::fromBase(temp, 0, 0); butterfly->setVectorLength(vectorLength); butterfly->setPublicLength(initialLength); + if (hasDouble(structure->indexingType())) { + for (unsigned i = initialLength; i < vectorLength; ++i) + butterfly->contiguousDouble()[i] = QNaN; + } } else { void* temp; if (!globalData.heap.tryAllocateStorage(Butterfly::totalSize(0, 0, true, ArrayStorage::sizeFor(vectorLength)), &temp)) -- cgit v1.2.1 From 6ab46a19bac261f42b664c62f8c2477b294b86ea Mon Sep 17 00:00:00 2001 From: Balazs Kilvady Date: Thu, 4 Apr 2013 13:51:09 +0200 Subject: r134080 causes heap problem on linux systems where PAGESIZE != 4096 https://bugs.webkit.org/show_bug.cgi?id=102828 Patch by Balazs Kilvady on 2013-01-18 Reviewed by Mark Hahnenberg. Make MarkStackSegment::blockSize as the capacity of segments of a MarkStackArray. * JavaScriptCore.vcproj/JavaScriptCore/JavaScriptCoreExports.def: * heap/MarkStack.cpp: (JSC): (JSC::MarkStackArray::MarkStackArray): (JSC::MarkStackArray::expand): (JSC::MarkStackArray::donateSomeCellsTo): (JSC::MarkStackArray::stealSomeCellsFrom): * heap/MarkStack.h: (JSC::MarkStackSegment::data): (CapacityFromSize): (MarkStackArray): * heap/MarkStackInlines.h: (JSC::MarkStackArray::setTopForFullSegment): (JSC::MarkStackArray::append): (JSC::MarkStackArray::isEmpty): (JSC::MarkStackArray::size): * runtime/Options.h: (JSC): Change-Id: I4663100b6b8b054bed03c0c6eb01bb9274a1b264 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140195 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/Options.h | 1 - 1 file changed, 1 deletion(-) (limited to 'Source/JavaScriptCore/runtime') diff --git a/Source/JavaScriptCore/runtime/Options.h b/Source/JavaScriptCore/runtime/Options.h index 5ad30bde3..bf4a0cf75 100644 --- a/Source/JavaScriptCore/runtime/Options.h +++ b/Source/JavaScriptCore/runtime/Options.h @@ -117,7 +117,6 @@ namespace JSC { v(double, structureCheckVoteRatioForHoisting, 1) \ \ v(unsigned, minimumNumberOfScansBetweenRebalance, 100) \ - v(unsigned, gcMarkStackSegmentSize, pageSize()) \ v(unsigned, numberOfGCMarkers, computeNumberOfGCMarkers(7)) \ v(unsigned, opaqueRootMergeThreshold, 1000) \ v(double, minHeapUtilization, 0.8) \ -- cgit v1.2.1 From d6ffb6e0ba2941ff69c9b8eaf6ccf383c5d03063 Mon Sep 17 00:00:00 2001 From: Andras Becsi Date: Thu, 4 Apr 2013 19:14:29 +0200 Subject: Fix the build with GCC 4.8 https://bugs.webkit.org/show_bug.cgi?id=113147 Reviewed by Allan Sandfeld Jensen. Source/JavaScriptCore: Initialize JSObject* exception to suppress warnings that make the build fail because of -Werror=maybe-uninitialized. * runtime/Executable.cpp: (JSC::FunctionExecutable::compileForCallInternal): (JSC::FunctionExecutable::compileForConstructInternal): Source/WTF: Disable diagnostic warning -Wunused-local-typedefs for GCC 4.8 since dummy typedefs are commonly used in the codebase. * wtf/Compiler.h: Change-Id: I084a47068324c6b9ddd7f4274f7c5a2d10904627 Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/Executable.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore/runtime') diff --git a/Source/JavaScriptCore/runtime/Executable.cpp b/Source/JavaScriptCore/runtime/Executable.cpp index 746e281e3..ff4c2ff76 100644 --- a/Source/JavaScriptCore/runtime/Executable.cpp +++ b/Source/JavaScriptCore/runtime/Executable.cpp @@ -522,7 +522,7 @@ JSObject* FunctionExecutable::compileForCallInternal(ExecState* exec, JSScope* s UNUSED_PARAM(bytecodeIndex); #endif ASSERT((jitType == JITCode::bottomTierJIT()) == !m_codeBlockForCall); - JSObject* exception; + JSObject* exception = 0; OwnPtr newCodeBlock = produceCodeBlockFor(scope, CodeForCall, exception); if (!newCodeBlock) return exception; @@ -558,7 +558,7 @@ JSObject* FunctionExecutable::compileForConstructInternal(ExecState* exec, JSSco #endif ASSERT((jitType == JITCode::bottomTierJIT()) == !m_codeBlockForConstruct); - JSObject* exception; + JSObject* exception = 0; OwnPtr newCodeBlock = produceCodeBlockFor(scope, CodeForConstruct, exception); if (!newCodeBlock) return exception; -- cgit v1.2.1 From 9e5eaab34ec9fe2a0e0ba169c939a23bef8df900 Mon Sep 17 00:00:00 2001 From: Oliver Hunt Date: Tue, 16 Apr 2013 11:58:22 +0200 Subject: Add more assertions to the property storage use in arrays https://bugs.webkit.org/show_bug.cgi?id=107728 Reviewed by Filip Pizlo. Add a bunch of assertions to array and object butterfly usage. This should make debugging somewhat easier. I also converted a couple of assertions to release asserts as they were so low cost it seemed a sensible thing to do. * runtime/JSArray.cpp: (JSC::JSArray::sortVector): (JSC::JSArray::compactForSorting): * runtime/JSObject.h: (JSC::JSObject::getHolyIndexQuickly): Change-Id: Ie6164b837e7671b87c003de3e29fd33ef05f4362 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@141029 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/runtime/JSArray.cpp | 24 +++++++++++++++++++----- Source/JavaScriptCore/runtime/JSObject.h | 1 + 2 files changed, 20 insertions(+), 5 deletions(-) (limited to 'Source/JavaScriptCore/runtime') diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp index 4ba5cc2bd..c742804f7 100644 --- a/Source/JavaScriptCore/runtime/JSArray.cpp +++ b/Source/JavaScriptCore/runtime/JSArray.cpp @@ -1347,7 +1347,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call // Iterate over the array, ignoring missing values, counting undefined ones, and inserting all other ones into the tree. for (; numDefined < usedVectorLength; ++numDefined) { - if (numDefined > m_butterfly->vectorLength()) + if (numDefined >= m_butterfly->vectorLength()) break; JSValue v = getHolyIndexQuickly(numDefined); if (!v || v.isUndefined()) @@ -1356,7 +1356,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call tree.insert(numDefined); } for (unsigned i = numDefined; i < usedVectorLength; ++i) { - if (i > m_butterfly->vectorLength()) + if (i >= m_butterfly->vectorLength()) break; JSValue v = getHolyIndexQuickly(i); if (v) { @@ -1384,6 +1384,7 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call iter.start_iter_least(tree); JSGlobalData& globalData = exec->globalData(); for (unsigned i = 0; i < elementsToExtractThreshold; ++i) { + ASSERT(i < butterfly()->vectorLength()); if (structure()->indexingType() == ArrayWithDouble) butterfly()->contiguousDouble()[i] = tree.abstractor().m_nodes[*iter].value.asNumber(); else @@ -1398,12 +1399,15 @@ void JSArray::sortVector(ExecState* exec, JSValue compareFunction, CallType call break; default: - for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i) + for (unsigned i = elementsToExtractThreshold; i < undefinedElementsThreshold; ++i) { + ASSERT(i < butterfly()->vectorLength()); currentIndexingData()[i].setUndefined(); + } } // Ensure that unused values in the vector are zeroed out. for (unsigned i = undefinedElementsThreshold; i < clearElementsThreshold; ++i) { + ASSERT(i < butterfly()->vectorLength()); if (structure()->indexingType() == ArrayWithDouble) butterfly()->contiguousDouble()[i] = QNaN; else @@ -1533,6 +1537,7 @@ void JSArray::copyToArguments(ExecState* exec, CallFrame* callFrame, uint32_t le vector = 0; vectorEnd = 0; for (; i < m_butterfly->publicLength(); ++i) { + ASSERT(i < butterfly()->vectorLength()); double v = m_butterfly->contiguousDouble()[i]; if (v != v) break; @@ -1578,6 +1583,7 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt unsigned numUndefined = 0; for (; numDefined < myRelevantLength; ++numDefined) { + ASSERT(numDefined < m_butterfly->vectorLength()); if (indexingType == ArrayWithInt32) { JSValue v = m_butterfly->contiguousInt32()[numDefined].get(); if (!v) @@ -1597,11 +1603,13 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt } for (unsigned i = numDefined; i < myRelevantLength; ++i) { + ASSERT(i < m_butterfly->vectorLength()); if (indexingType == ArrayWithInt32) { JSValue v = m_butterfly->contiguousInt32()[i].get(); if (!v) continue; ASSERT(v.isInt32()); + ASSERT(numDefined < m_butterfly->vectorLength()); m_butterfly->contiguousInt32()[numDefined++].setWithoutWriteBarrier(v); continue; } @@ -1609,6 +1617,7 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt double v = m_butterfly->contiguousDouble()[i]; if (v != v) continue; + ASSERT(numDefined < m_butterfly->vectorLength()); m_butterfly->contiguousDouble()[numDefined++] = v; continue; } @@ -1616,8 +1625,10 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt if (v) { if (v.isUndefined()) ++numUndefined; - else + else { + ASSERT(numDefined < m_butterfly->vectorLength()); indexingData()[numDefined++].setWithoutWriteBarrier(v); + } } } @@ -1633,11 +1644,14 @@ void JSArray::compactForSorting(unsigned& numDefined, unsigned& newRelevantLengt break; default: - for (unsigned i = numDefined; i < newRelevantLength; ++i) + for (unsigned i = numDefined; i < newRelevantLength; ++i) { + ASSERT(i < m_butterfly->vectorLength()); indexingData()[i].setUndefined(); + } break; } for (unsigned i = newRelevantLength; i < myRelevantLength; ++i) { + ASSERT(i < m_butterfly->vectorLength()); if (indexingType == ArrayWithDouble) m_butterfly->contiguousDouble()[i] = QNaN; else diff --git a/Source/JavaScriptCore/runtime/JSObject.h b/Source/JavaScriptCore/runtime/JSObject.h index 957ba8227..428e51f3c 100644 --- a/Source/JavaScriptCore/runtime/JSObject.h +++ b/Source/JavaScriptCore/runtime/JSObject.h @@ -862,6 +862,7 @@ protected: JSValue getHolyIndexQuickly(unsigned i) { + ASSERT(i < m_butterfly->vectorLength()); switch (structure()->indexingType()) { case ALL_INT32_INDEXING_TYPES: case ALL_CONTIGUOUS_INDEXING_TYPES: -- cgit v1.2.1