• mhahnenberg@apple.com's avatar
    Storing new CopiedSpace memory into a JSObject should fire a write barrier · ebf01914
    mhahnenberg@apple.com authored
    https://bugs.webkit.org/show_bug.cgi?id=126025
    
    Reviewed by Filip Pizlo.
    
    Technically this is creating a pointer between a (potentially) old generation object and a young
    generation chunk of memory, thus there needs to be a barrier.
    
    * JavaScriptCore.xcodeproj/project.pbxproj:
    * dfg/DFGOperations.cpp:
    * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It
    acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to
    fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery
    collections that objects with new backing stores are visited, even if they are old generation objects.
    (JSC::CopyWriteBarrier::CopyWriteBarrier):
    (JSC::CopyWriteBarrier::operator!):
    (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
    (JSC::CopyWriteBarrier::get):
    (JSC::CopyWriteBarrier::operator*):
    (JSC::CopyWriteBarrier::operator->):
    (JSC::CopyWriteBarrier::set):
    (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
    (JSC::CopyWriteBarrier::clear):
    * heap/Heap.h:
    * runtime/JSArray.cpp:
    (JSC::JSArray::unshiftCountSlowCase):
    (JSC::JSArray::shiftCountWithArrayStorage):
    (JSC::JSArray::unshiftCountWithArrayStorage):
    * runtime/JSCell.h:
    (JSC::JSCell::unvalidatedStructure):
    * runtime/JSGenericTypedArrayViewInlines.h:
    (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
    * runtime/JSObject.cpp:
    (JSC::JSObject::copyButterfly):
    (JSC::JSObject::getOwnPropertySlotByIndex):
    (JSC::JSObject::putByIndex):
    (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
    (JSC::JSObject::createInitialIndexedStorage):
    (JSC::JSObject::createArrayStorage):
    (JSC::JSObject::deletePropertyByIndex):
    (JSC::JSObject::getOwnPropertyNames):
    (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
    (JSC::JSObject::countElements):
    (JSC::JSObject::increaseVectorLength):
    (JSC::JSObject::ensureLengthSlow):
    * runtime/JSObject.h:
    (JSC::JSObject::butterfly):
    (JSC::JSObject::setStructureAndButterfly):
    (JSC::JSObject::setButterflyWithoutChangingStructure):
    (JSC::JSObject::JSObject):
    (JSC::JSObject::putDirectInternal):
    (JSC::JSObject::putDirectWithoutTransition):
    * runtime/MapData.cpp:
    (JSC::MapData::ensureSpaceForAppend):
    * runtime/Structure.cpp:
    (JSC::Structure::materializePropertyMap):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@161230 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    ebf01914
JSArray.cpp 64.5 KB