commit 23c01198df8f1ac27b6f0c1f849fcdfde0d5e8e8
author sbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Sep 22 07:28:39 2018 +0000
committer sbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Sat Sep 22 07:28:39 2018 +0000
tree f80a38735a3a839de3fc63a69967fcd43400d4a4
parent 48bd0a01bd9ba3d210e9bf92610d298f0beead9f

The sampling should not use Strong<CodeBlock> in its machineLocation field
https://bugs.webkit.org/show_bug.cgi?id=189319

Reviewed by Filip Pizlo.

JSTests:

* stress/sampling-profiler-richards.js: Added.

Source/JavaScriptCore:

The sampling profiler has a CLI mode where we gather information about inline
call frames. That data structure was using a Strong<CodeBlock>. We were
constructing this Strong<CodeBlock> during GC concurrently to processing all
the Strong handles. This is a bug since we end up corrupting that data
structure. This patch fixes this by just making this data structure use the
sampling profiler's mechanism for holding onto and properly visiting heap pointers.

* inspector/agents/InspectorScriptProfilerAgent.cpp:
(Inspector::InspectorScriptProfilerAgent::trackingComplete):
* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::processUnverifiedStackTraces):

(JSC::SamplingProfiler::reportTopFunctions):
(JSC::SamplingProfiler::reportTopBytecodes):
These CLI helpers needed a DeferGC otherwise we may end up deadlocking when we
cause a GC to happen while already holding the sampling profiler's
lock.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@236382 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/runtime/SamplingProfiler.cpp

diff --git a/Source/JavaScriptCore/runtime/SamplingProfiler.cpp b/Source/JavaScriptCore/runtime/SamplingProfiler.cpp
index a99554d..ff07dba 100644
--- a/Source/JavaScriptCore/runtime/SamplingProfiler.cpp
+++ b/Source/JavaScriptCore/runtime/SamplingProfiler.cpp
@@ -567,8 +567,9 @@
                 // output on the command line, but we could extend it to the web
                 // inspector in the future if we find a need for it there.
                 RELEASE_ASSERT(stackTrace.frames.size());
+                m_liveCellPointers.add(machineCodeBlock);
                 for (size_t i = startIndex; i < stackTrace.frames.size() - 1; i++)
-                    stackTrace.frames[i].machineLocation = std::make_pair(machineLocation, Strong<CodeBlock>(m_vm, machineCodeBlock));
+                    stackTrace.frames[i].machineLocation = std::make_pair(machineLocation, machineCodeBlock);
             }
         };
 
@@ -957,6 +958,7 @@
 void SamplingProfiler::reportTopFunctions(PrintStream& out)
 {
     LockHolder locker(m_lock);
+    DeferGCForAWhile deferGC(m_vm.heap);
 
     {
         HeapIterationScope heapIterationScope(m_vm.heap);
@@ -1009,6 +1011,7 @@
 void SamplingProfiler::reportTopBytecodes(PrintStream& out)
 {
     LockHolder locker(m_lock);
+    DeferGCForAWhile deferGC(m_vm.heap);
 
     {
         HeapIterationScope heapIterationScope(m_vm.heap);
@@ -1040,7 +1043,7 @@
 
         StackFrame& frame = stackTrace.frames.first();
         String frameDescription = makeString(frame.displayName(m_vm), descriptionForLocation(frame.semanticLocation));
-        if (std::optional<std::pair<StackFrame::CodeLocation, Strong<CodeBlock>>> machineLocation = frame.machineLocation) {
+        if (std::optional<std::pair<StackFrame::CodeLocation, CodeBlock*>> machineLocation = frame.machineLocation) {
             frameDescription = makeString(frameDescription, " <-- ",
                 machineLocation->second->inferredName().data(), descriptionForLocation(machineLocation->first));
         }