Google Git
Sign in
webkit / WebKit / 98861c839d2baf3400f2d9a1aebec527ced2bfc9 / . / Source / WTF / ChangeLog
blob: d3590aa9154c885e046c8375e2281273cd246d26 [file] [log] [blame]
2016-10-25 Mark Lam <mark.lam@apple.com>
String.prototype.replace() should throw an OutOfMemoryError when using too much memory.
https://bugs.webkit.org/show_bug.cgi?id=163996
<rdar://problem/28263117>
Reviewed by Geoffrey Garen.
* wtf/Vector.h:
(WTF::minCapacity>::tryConstructAndAppend):
(WTF::minCapacity>::tryConstructAndAppendSlowCase):
- Added try versions of constructAndAppend() so that we can handle the failure
to allocate more gracefully.
2016-10-25 Konstantin Tokarev <annulen@yandex.ru>
Non-specialized version of deleteObject should not have template argument
https://bugs.webkit.org/show_bug.cgi?id=163943
Reviewed by Anders Carlsson.
Fixes compilation of GDIObject.h with MinGW
* wtf/win/GDIObject.h:
(WTF::deleteObject):
2016-10-24 Per Arne Vollan <pvollan@apple.com>
[Win] CMake build type is not set.
https://bugs.webkit.org/show_bug.cgi?id=163917
Reviewed by Alex Christensen.
The CMAKE_BUILD_TYPE variable should be set to Debug or Release.
* WTF.vcxproj/WTF.proj:
2016-10-23 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Add a way for DOMJIT::Patchpoint to express effects
https://bugs.webkit.org/show_bug.cgi?id=163657
Reviewed by Saam Barati.
Simplify nonEmptyRangesOverlap.
* wtf/MathExtras.h:
(WTF::nonEmptyRangesOverlap):
2016-10-23 Chris Dumez <cdumez@apple.com>
Another unreviewed attempt to fix the WatchOS / TvOS build after r207585.
<rdar://problem/28902292>
Disable USE_CFURLCONNECTION on newer WatchOS / TvOS.
* wtf/Platform.h:
2016-10-20 Keith Miller <keith_miller@apple.com>
Add support for WASM calls
https://bugs.webkit.org/show_bug.cgi?id=161727
Reviewed by Filip Pizlo and Michael Saboff.
Added a new decodeUInt64. Also, added WTF::LEBDecoder namespace.
* wtf/LEBDecoder.h:
(WTF::LEBDecoder::decodeUInt):
(WTF::LEBDecoder::decodeUInt32):
(WTF::LEBDecoder::decodeUInt64):
(WTF::LEBDecoder::decodeInt32):
(decodeUInt32): Deleted.
(decodeInt32): Deleted.
2016-10-20 Filip Pizlo <fpizlo@apple.com>
The tracking of the coarse-grain Heap state (allocating or not, collector or not, eden vs full) should respect the orthogonality between allocating and collecting
https://bugs.webkit.org/show_bug.cgi?id=163738
Reviewed by Geoffrey Garen.
There will soon be different kinds of GC threads, and WTF's "are you a GC thread" thing
should know about this.
* wtf/MainThread.cpp:
(WTF::initializeGCThreads):
(WTF::registerGCThread):
(WTF::mayBeGCThread):
* wtf/MainThread.h:
2016-10-19 Sam Weinig <sam@webkit.org>
Add convenience function that combines WTF::visit(...) with WTF::makeVisitor(...)
https://bugs.webkit.org/show_bug.cgi?id=163713
Reviewed by Dan Bernstein.
- Add WTF::switchOn which merges WTF::visit with WTF::makeVisitor in the following
way:
WTF::visit(WTF::makeVisitor(...), variant)
* wtf/Variant.h:
(WTF::switchOn):
2016-10-19 Alex Christensen <achristensen@webkit.org>
Revert r207151
https://bugs.webkit.org/show_bug.cgi?id=163675
Reviewed by Brent Fulgham.
* wtf/Platform.h:
* wtf/SchedulePair.h:
* wtf/SchedulePairMac.mm:
2016-10-19 Filip Pizlo <fpizlo@apple.com>
REGRESSION (r207480): 3 Dromaeo tests failing
https://bugs.webkit.org/show_bug.cgi?id=163633
Reviewed by Mark Lam.
It's a ParkingLot bug: if we timeout and get unparked at the same time, then the unparking
thread will clear our address eventually - but not immediately. This causes a nasty
assertion failure. The tricky thing is that when we detect this, we need to wait until that
unparking thread does the deed. Otherwise, they will still do it at some later time.
Alternatively, we could use some kind of versioning to detect this - increment the version
when you park, so that unparking threads will know if they are time travelers. That seems
more yucky.
I don't think it matters too much what we do here, so long as it's simple and correct, since
this requires a race that is rare enough that it didn't happen once in my testing, and I was
pretty thorough. For example, it didn't happen once in 15 runs of JetStream. The race is
rare because it requires the timeout to happen right as someone else is unparking. Since
it's so rare, its probably OK that the unparked thread waits just a tiny moment until the
unparking thread is done.
* wtf/ParkingLot.cpp:
(WTF::ParkingLot::parkConditionallyImpl):
(WTF::ParkingLot::unparkOneImpl):
2016-10-19 Filip Pizlo <fpizlo@apple.com>
Baseline JIT should use AutomaticThread
https://bugs.webkit.org/show_bug.cgi?id=163686
Reviewed by Geoffrey Garen.
Added a AutomaticThreadCondition::wait() method, so that if you really want to use one
common condition for your thread and something else, you can do it. This trivially works
if you only use notifyAll(), and behaves as you'd expect for notifyOne() (i.e. it's
dangerous, since you don't know who will wake up).
The Baseline JIT used the one-true-Condition idiom because it used notifyAll() in an
optimal way: there are just two threads talking to each other, so it wakes up at most one
thread and that thread is exactly the one you want woken up. Adding wait() means that I did
not have to change that code.
* wtf/AutomaticThread.cpp:
(WTF::AutomaticThreadCondition::wait):
* wtf/AutomaticThread.h:
2016-10-18 Filip Pizlo <fpizlo@apple.com>
DFG worklist should use AutomaticThread
https://bugs.webkit.org/show_bug.cgi?id=163615
Reviewed by Mark Lam.
This adds new functionality to AutomaticThread to support DFG::Worklist:
- AutomaticThread::threadDidStart/threadWillStop virtual methods called at the start and end
of a thread's lifetime. This allows Worklist to tie some resources to the life of the
thread, and also means that now those resources will naturally free up when the Worklist is
not in use.
- AutomaticThreadCondition::notifyOne(). This required changes to Condition::notifyOne(). We
need to know if the Condition woke up anyone. If it didn't, then we need to launch one of
our threads.
* wtf/AutomaticThread.cpp:
(WTF::AutomaticThreadCondition::notifyOne):
(WTF::AutomaticThread::ThreadScope::ThreadScope):
(WTF::AutomaticThread::ThreadScope::~ThreadScope):
(WTF::AutomaticThread::start):
(WTF::AutomaticThread::threadDidStart):
(WTF::AutomaticThread::threadWillStop):
* wtf/AutomaticThread.h:
* wtf/Condition.h:
(WTF::ConditionBase::notifyOne):
2016-10-18 Sam Weinig <sam@webkit.org>
Replace std::experimental::variant with WTF::Variant (or similar)
https://bugs.webkit.org/show_bug.cgi?id=163626
Reviewed by Chris Dumez.
Rename std::experimental::variant, Variant. Move helpers get/holds_alternative/etc.
into the WTF namespace.
* wtf/Forward.h:
* wtf/Variant.h:
2016-10-18 Filip Pizlo <fpizlo@apple.com>
WTF should make it easier to create threads that die automatically after inactivity
https://bugs.webkit.org/show_bug.cgi?id=163576
Reviewed by Andreas Kling.
For a long time now, I've been adding threads to WTF/JSC and each time I do this, I feel
guilty because those threads don't shut down when they are inactive. For example, in bug
163562, I need to add a new GC thread. There will be one of them per VM. This means that a
JSC API client that starts a lot of VMs will have a lot of threads. I don't think that's
good.
A common pattern for all of these threads is that they have some well-defined trigger that
causes them to run. This trigger has a lock, a condition variable, some logic that determines
if there is work to do, and then of course the logic for the thread's actual work. The thread
bodies usually look like this:
void Thingy::runThread()
{
for (;;) {
Work work;
{
LockHolder locker(m_lock);
while (!hasWork())
m_cond.wait(m_lock);
work = takeWork();
}
doWork(work);
}
}
If you look at ParallelHelperPool (the GC's threads) and DFG::Worklist (some of the JIT's
threads), you will see this pattern.
This change adds a new kind of thread, called AutomaticThread, that lets you write threads to
this pattern while getting automatic thread shutdown for free: instead of just waiting on a
condition variable, AutomaticThread will have a timeout that causes the thread to die. The
condition variable associated with AutomaticThread, called AutomaticThreadCondition, is smart
enough to restart any threads that have decided to stop due to inactivity. The inactivity
threshold is current just 1 second.
In this patch I only adopt AutomaticThread for ParallelHelperPool. I plan to adopt it in more
places soon.
* WTF.xcodeproj/project.pbxproj:
* wtf/AutomaticThread.cpp: Added.
(WTF::AutomaticThreadCondition::create):
(WTF::AutomaticThreadCondition::AutomaticThreadCondition):
(WTF::AutomaticThreadCondition::~AutomaticThreadCondition):
(WTF::AutomaticThreadCondition::notifyAll):
(WTF::AutomaticThreadCondition::add):
(WTF::AutomaticThreadCondition::remove):
(WTF::AutomaticThreadCondition::contains):
(WTF::AutomaticThread::AutomaticThread):
(WTF::AutomaticThread::~AutomaticThread):
(WTF::AutomaticThread::join):
(WTF::AutomaticThread::start):
* wtf/AutomaticThread.h: Added.
* wtf/CMakeLists.txt:
* wtf/ParallelHelperPool.cpp:
(WTF::ParallelHelperClient::ParallelHelperClient):
(WTF::ParallelHelperClient::~ParallelHelperClient):
(WTF::ParallelHelperClient::setTask):
(WTF::ParallelHelperClient::finish):
(WTF::ParallelHelperClient::doSomeHelping):
(WTF::ParallelHelperClient::runTask):
(WTF::ParallelHelperPool::ParallelHelperPool):
(WTF::ParallelHelperPool::~ParallelHelperPool):
(WTF::ParallelHelperPool::ensureThreads):
(WTF::ParallelHelperPool::doSomeHelping):
(WTF::ParallelHelperPool::Thread::Thread):
(WTF::ParallelHelperPool::didMakeWorkAvailable):
(WTF::ParallelHelperPool::helperThreadBody): Deleted.
(WTF::ParallelHelperPool::waitForClientWithTask): Deleted.
* wtf/ParallelHelperPool.h:
2016-10-18 Said Abou-Hallawa <sabouhallawa@apple.com>
SVGCSSParser: m_implicitShorthand value is not reset after adding the shorthand property
https://bugs.webkit.org/show_bug.cgi?id=116470
Reviewed by Simon Fraser.
* wtf/TemporaryChange.h:
(WTF::TemporaryChange::TemporaryChange):
Add a new constructor to make TemporaryChange work as a restorer. The
temporary change will happen after we construct the object.
2016-10-17 Simon Fraser <simon.fraser@apple.com>
Implement DOMRect/DOMRectReadOnly
https://bugs.webkit.org/show_bug.cgi?id=163464
Reviewed by Darin Adler.
Implement min()/max() in a way that follows Math.min/Math.max, which return
NaN if either argument is NaN.
* wtf/MathExtras.h:
(WTF::nanPropagatingMin):
(WTF::nanPropagatingMax):
2016-10-15 Sam Weinig <sam@webkit.org>
MessageEvent's source property should be a (DOMWindow or MessagePort)? rather than a EventTarget?
https://bugs.webkit.org/show_bug.cgi?id=163475
Reviewed by Simon Fraser.
* wtf/Variant.h:
Add missing return statement that was tripping up some compilers.
2016-10-12 Ryan Haddad <ryanhaddad@apple.com>
Unreviewed, rolling out r207225.
This change causes debug tests to exit early with crashes.
Reverted changeset:
"Optional's move-constructor and move-assignment operator
don't disengage the value being moved from"
https://bugs.webkit.org/show_bug.cgi?id=163309
http://trac.webkit.org/changeset/207225
2016-10-11 Sam Weinig <sam@webkit.org>
Optional's move-constructor and move-assignment operator don't disengage the value being moved from
https://bugs.webkit.org/show_bug.cgi?id=163309
Reviewed by Anders Carlsson.
* wtf/Optional.h:
(WTF::Optional::Optional):
(WTF::Optional::operator=):
Disengage 'other' on move-construction and move-assignment.
2016-10-08 Filip Pizlo <fpizlo@apple.com>
MarkedBlock should know what objects are live during marking
https://bugs.webkit.org/show_bug.cgi?id=162309
Reviewed by Geoffrey Garen.
This removes the atomicity mode, because it's not really used: it only affects the
concurrentBlah methods, but their only users turn on atomicity. This was useful because
previously, some binary Bitmap methods (like merge(const Bitmap&)) couldn't be used
effectively in the GC because some of the GC's bitmaps set the atomic mode and some didn't.
Removing this useless mode is the best solution.
Also added some new binary Bitmap methods: mergeAndClear(Bitmap& other) and
setAndClear(Bitmap& other). They perform their action on 'this' (either merge or set,
respectively) while also clearing the contents of 'other'. This is great for one of the GC
hot paths.
* wtf/Bitmap.h:
(WTF::WordType>::Bitmap):
(WTF::WordType>::get):
(WTF::WordType>::set):
(WTF::WordType>::testAndSet):
(WTF::WordType>::testAndClear):
(WTF::WordType>::concurrentTestAndSet):
(WTF::WordType>::concurrentTestAndClear):
(WTF::WordType>::clear):
(WTF::WordType>::clearAll):
(WTF::WordType>::nextPossiblyUnset):
(WTF::WordType>::findRunOfZeros):
(WTF::WordType>::count):
(WTF::WordType>::isEmpty):
(WTF::WordType>::isFull):
(WTF::WordType>::merge):
(WTF::WordType>::filter):
(WTF::WordType>::exclude):
(WTF::WordType>::forEachSetBit):
(WTF::WordType>::mergeAndClear):
(WTF::WordType>::setAndClear):
(WTF::=):
(WTF::WordType>::hash):
2016-10-11 Said Abou-Hallawa <sabouhallawa@apple.com>
Add SynchronizedFixedQueue class
https://bugs.webkit.org/show_bug.cgi?id=162478
Reviewed by Geoffrey Garen.
This class represents a simple producer/consumer worker. It facilitates
synchronizing enqueuing to and dequeuing from a fixed size-queue. It uses
a single lock and a single condition to synchronize all its members among
the working threads. This means a single thread is active at any time and
and the other threads are blocked waiting for the lock to be released. Or
they are sleeping waiting for the condition to be satisfied.
* WTF.xcodeproj/project.pbxproj:
* wtf/SynchronizedFixedQueue.h: Added.
(WTF::SynchronizedFixedQueue::SynchronizedFixedQueue):
(WTF::SynchronizedFixedQueue::open): Restore the queue to its original state.
(WTF::SynchronizedFixedQueue::close): Wake all the sleeping threads with a closing state.
(WTF::SynchronizedFixedQueue::isOpen): Does the queue accept new items?
(WTF::SynchronizedFixedQueue::enqueue): Enqueue an item into the queue.
(WTF::SynchronizedFixedQueue::dequeue): Dequeue an item form the queue.
2016-10-11 Alex Christensen <achristensen@webkit.org>
Remove dead networking code
https://bugs.webkit.org/show_bug.cgi?id=163263
Reviewed by Daniel Bates.
* wtf/Platform.h:
* wtf/SchedulePair.h:
* wtf/SchedulePairMac.mm:
2016-10-10 Zan Dobersek <zdobersek@igalia.com>
Add ENABLE_ENCRYPTED_MEDIA configuration option
https://bugs.webkit.org/show_bug.cgi?id=163219
Reviewed by Darin Adler.
* wtf/FeatureDefines.h:
If undefined, define the ENABLE_ENCRYPTED_MEDIA option to 0.
2016-10-10 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Implement Node accessors in DOMJIT
https://bugs.webkit.org/show_bug.cgi?id=163005
Reviewed by Filip Pizlo.
Add CAST_OFFSET. It is not necessary for JSCell thingy
since we don't use virtual member functions. However, it
is not true for WebCore DOM wrapped objects.
* wtf/StdLibExtras.h:
2016-10-07 Chris Dumez <cdumez@apple.com>
window.navigator.language incorrectly returns all lowercase string
https://bugs.webkit.org/show_bug.cgi?id=163096
Reviewed by Darin Adler.
Update platformUserPreferredLanguages() so that it no longer lowercases
the string it returns. On Mac, we rely on CFLocale which returns
BCP-47 language tags as per:
- https://developer.apple.com/reference/corefoundation/1666963-cflocale?language=objc
* wtf/PlatformUserPreferredLanguagesMac.mm:
(WTF::httpStyleLanguageCode):
* wtf/PlatformUserPreferredLanguagesUnix.cpp:
(WTF::platformLanguage):
2016-10-06 Brent Fulgham <bfulgham@apple.com>
[Win][Direct2D] Add Direct2D CMake rules
https://bugs.webkit.org/show_bug.cgi?id=162925
Reviewed by Brent Fulgham.
* wtf/Platform.h: Don't USE(CA) or USE(CG) if building
with Direct2D.
2016-10-05 Yusuke Suzuki <utatane.tea@gmail.com>
[DOMJIT] Add initial CheckDOM and CallDOM implementations
https://bugs.webkit.org/show_bug.cgi?id=162941
Reviewed by Filip Pizlo.
* wtf/Box.h:
(WTF::Box::Box):
2016-10-05 Zan Dobersek <zdobersek@igalia.com>
Rename ENABLE_ENCRYPTED_MEDIA_V2 to ENABLE_LEGACY_ENCRYPTED_MEDIA
https://bugs.webkit.org/show_bug.cgi?id=162903
Reviewed by Alex Christensen.
Rename build guards for the remaining implementation of the legacy EME API
to ENABLE_LEGACY_ENCRYPTED_MEDIA. This will allow for the future implementation
of the near-finished API to be guarded with the simple ENABLE_ENCRYPTED_MEDIA guards.
* wtf/FeatureDefines.h:
2016-10-04 Saam Barati <sbarati@apple.com>
String.prototype.toLowerCase should be a DFG/FTL intrinsic
https://bugs.webkit.org/show_bug.cgi?id=162887
Reviewed by Filip Pizlo and Yusuke Suzuki.
This patch exposes a new StringImpl function called convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit
which extracts slow path for the 8-bit part of convertToLowercaseWithoutLocale
into a helper function. I decided to extract this into its own function because
it may be the case that JSCs JITs will want to continue the operation
after it has already ensured that part of an 8-bit string is lower case.
* wtf/text/StringImpl.cpp:
(WTF::StringImpl::convertToLowercaseWithoutLocale):
(WTF::StringImpl::convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit):
* wtf/text/StringImpl.h:
* wtf/text/WTFString.cpp:
(WTF::String::convertToLowercaseWithoutLocaleStartingAtFailingIndex8Bit):
* wtf/text/WTFString.h:
2016-10-04 Chris Dumez <cdumez@apple.com>
Implement KeyboardEvent.code from the UI Event spec
https://bugs.webkit.org/show_bug.cgi?id=149584
Reviewed by Darin Adler.
Add build time flag to toggle support for the code attribute on
KeyboardEvent and only enable it on Mac for now, given that the
implementation is missing on other platforms.
* wtf/FeatureDefines.h:
2016-10-03 Chris Dumez <cdumez@apple.com>
Add support for KeyboardEvent.key attribute
https://bugs.webkit.org/show_bug.cgi?id=36267
Reviewed by Darin Adler.
Add compile time flag for the key attribute on KeyboardEvent and enable
it on Cocoa only.
* wtf/FeatureDefines.h:
2016-09-29 Sam Weinig <sam@webkit.org>
Add initial support for IDL union conversion
https://bugs.webkit.org/show_bug.cgi?id=161576
Reviewed by Chris Dumez.
* WTF.xcodeproj/project.pbxproj:
* wtf/CMakeLists.txt:
Add Brigand.h
* wtf/Brigand.h: Added.
Import a standalone copy of Edouard Alligand and Joel Falcou's
Brigand library for help with for help with list based meta programming
* wtf/StdLibExtras.h:
Add a new three new type traits, IsTemplate, IsBaseOfTemplate and RemoveCVAndReference.
- IsTemplate acts like std::is_class, but works with a generic base.
- IsBaseOfTemplate acts like std::is_base_of, but works with a generic base.
- RemoveCVAndReference combines std::remove_cv and std::remove_reference.
2016-09-30 Filip Pizlo <fpizlo@apple.com>
B3::moveConstants should be able to edit code to minimize the number of constants
https://bugs.webkit.org/show_bug.cgi?id=162764
Reviewed by Saam Barati.
I thought it would be a good idea to document the fact that dominator traversal happens in a
particular order for a reason.
* wtf/Dominators.h:
2016-09-29 Filip Pizlo <fpizlo@apple.com>
Air should have a way of expressing additional instruction flags
https://bugs.webkit.org/show_bug.cgi?id=162699
Reviewed by Mark Lam.
* wtf/CommaPrinter.h:
(WTF::CommaPrinter::CommaPrinter):
(WTF::CommaPrinter::dump):
(WTF::CommaPrinter::didPrint):
2016-09-30 Youenn Fablet <youenn@apple.com>
Add a way to go from a RefPtr<T> to Ref<const T>
https://bugs.webkit.org/show_bug.cgi?id=162683
Reviewed by Alex Christensen.
* wtf/RefPtr.h:
(WTF::RefPtr::releaseConstNonNull): Added.
2016-09-29 Mark Lam <mark.lam@apple.com>
Re-enable StringView life-cycle checking.
https://bugs.webkit.org/show_bug.cgi?id=160384
<rdar://problem/28479434>
Reviewed by Saam Barati.
Re-landing after slow running tests have been resolved.
* wtf/text/StringView.h:
2016-09-29 Commit Queue <commit-queue@webkit.org>
Unreviewed, rolling out r206563.
https://bugs.webkit.org/show_bug.cgi?id=162732
Caused stress/op_*.js.ftl-no-cjit tests to time out (Requested
by ryanhaddad on #webkit).
Reverted changeset:
"Re-enable StringView life-cycle checking."
https://bugs.webkit.org/show_bug.cgi?id=160384
http://trac.webkit.org/changeset/206563
2016-09-29 Fujii Hironori <Hironori.Fujii@sony.com>
Clang 3.9 reports a compilation warning about ENABLE_EXCEPTION_SCOPE_VERIFICATION
https://bugs.webkit.org/show_bug.cgi?id=162718
Reviewed by Alex Christensen.
Clang 3.9 reports a following compilation warning:
Source/JavaScriptCore/runtime/VM.h:656:5: warning: macro expansion producing 'defined' has undefined behavior [-Wexpansion-to-defined]
* wtf/Platform.h: Changed the definition of ENABLE_EXCEPTION_SCOPE_VERIFICATION not to use 'defined'.
2016-09-28 Mark Lam <mark.lam@apple.com>
Re-enable StringView life-cycle checking.
https://bugs.webkit.org/show_bug.cgi?id=160384
<rdar://problem/28479434>
Reviewed by Saam Barati.
* wtf/text/StringView.h:
2016-09-28 Filip Pizlo <fpizlo@apple.com>
The write barrier should be down with TSO
https://bugs.webkit.org/show_bug.cgi?id=162316
Reviewed by Geoffrey Garen.
Added clearRange(), which quickly clears a range of bits. This turned out to be useful for
a DFG optimization pass.
* wtf/FastBitVector.cpp:
(WTF::FastBitVector::clearRange):
* wtf/FastBitVector.h:
2016-09-28 Mark Lam <mark.lam@apple.com>
Fix race condition in StringView's UnderlyingString lifecycle management.
https://bugs.webkit.org/show_bug.cgi?id=162702
Reviewed by Geoffrey Garen.
There 2 relevant functions at play:
void StringView::setUnderlyingString(const StringImpl* string)
{
UnderlyingString* underlyingString;
if (!string)
underlyingString = nullptr;
else {
std::lock_guard<StaticLock> lock(underlyingStringsMutex);
auto result = underlyingStrings().add(string, nullptr);
if (result.isNewEntry)
result.iterator->value = new UnderlyingString(*string);
else
++result.iterator->value->refCount;
underlyingString = result.iterator->value; // Point P2.
}
adoptUnderlyingString(underlyingString); // Point P5.
}
... and ...
void StringView::adoptUnderlyingString(UnderlyingString* underlyingString)
{
if (m_underlyingString) {
// Point P0.
if (!--m_underlyingString->refCount) {
if (m_underlyingString->isValid) { // Point P1.
std::lock_guard<StaticLock> lock(underlyingStringsMutex);
underlyingStrings().remove(&m_underlyingString->string); // Point P3.
}
delete m_underlyingString; // Point P4.
}
}
m_underlyingString = underlyingString;
}
Imagine the following scenario:
1. Thread T1 has been using an UnderlyingString U1, and is now done with it.
T1 runs up to point P1 in adoptUnderlyingString(), and is blocked waiting for
the underlyingStringsMutex (which is currently being held by Thread T2).
2. Context switch to Thread T2.
T2 wants to use UnderlyingString U1, and runs up to point P2 in setUnderlyingString()
and releases the underlyingStringsMutex.
Note: T2 thinks it has successfully refCounted U1, and therefore U1 is safe to use.
3. Context switch to Thread T1.
T1 acquires the underlyingStringsMutex, and proceeds to remove it from the
underlyingStrings() map (see Point P3). It thinks it has successfully done so
and proceeds to delete U1 (see Point P4).
4. Context switch to Thread T2.
T2 proceeds to use U1 (see Point P5 in setUnderlyingString()).
Note: U1 has already been freed. This is a use after free.
The fix is to acquire the underlyingStringsMutex at Point P0 in adoptUnderlyingString()
instead of after P1. This ensures that the decrementing of the UnderlyingString
refCount and its removal from the underlyingStrings() map is done as an atomic unit.
Note: If you look in StringView.cpp, you see another setUnderlyingString() which
takes a StringView otherString. This version of setUnderlyingString() can only
be called from within the same thread that created the other StringView. As a
result, here, we are guaranteed that the UnderlyingString refCount is never zero,
and there's no other threat of another thread trying to delete the UnderlyingString
while we adopt it. Hence, we don't need to acquire the underlyingStringsMutex
here.
This race condition was found when running layout tests fetch/fetch-worker-crash.html
and storage/indexeddb/modern/opendatabase-versions.html when CHECK_STRINGVIEW_LIFETIME
is enabled. This issue resulted in those tests crashing due to a use-after-free.
* wtf/text/StringView.cpp:
(WTF::StringView::adoptUnderlyingString):
(WTF::StringView::setUnderlyingString):
2016-09-28 Brent Fulgham <bfulgham@apple.com>
Correct 'safeCast' implementation
https://bugs.webkit.org/show_bug.cgi?id=162679
<rdar://problem/28518189>
Reviewed by Zalan Bujtas.
* wtf/StdLibExtras.h:
(WTF::safeCast): Use a RELEASE_ASSERT.
2016-09-27 Don Olmstead <don.olmstead@am.sony.com>
[CMake] Add HAVE_LOCALTIME_R definition
https://bugs.webkit.org/show_bug.cgi?id=162636
Reviewed by Alex Christensen.
* wtf/DateMath.cpp:
(WTF::getLocalTime):
* wtf/GregorianDateTime.cpp:
(WTF::GregorianDateTime::setToCurrentLocalTime):
* wtf/Platform.h:
2016-09-27 JF Bastien <jfbastien@apple.com>
Speed up Heap::isMarkedConcurrently
https://bugs.webkit.org/show_bug.cgi?id=162095
Reviewed by Filip Pizlo.
Heap::isMarkedConcurrently had a load-load fence which is expensive on weak memory ISAs such as ARM.
This patch is fairly perf-neutral overall, but the GC's instrumentation reports:
GC:Eden is 93% average runtime after change
GC:Full is 76% average runtime after change
The fence was there because:
1. If the read of m_markingVersion in MarkedBlock::areMarksStale isn't what's expected then;
2. The read of m_marks in MarkedBlock::isMarked needs to observe the value that was stored *before* m_markingVersion was stored.
This ordering isn't guaranteed on ARM, which has a weak memory model.
There are 3 ways to guarantee this ordering:
A. Use a barrier instruction.
B. Use a load-acquire (new in ARMv8).
C. use ARM's address dependency rule, which C++ calls memory_order_consume.
In general:
A. is slow but orders all of memory in an intuitive manner.
B. is faster-ish and has the same property-ish.
C. should be faster still, but *only orders dependent loads*. This last part is critical! Consume isn't an all-out replacement for acquire (acquire is rather a superset of consume).
ARM explains the address dependency rule in their document "barrier litmus tests and cookbook":
> *Resolving by the use of barriers and address dependency*
>
> There is a rule within the ARM architecture that:
> Where the value returned by a read is used to compute the virtual address of a subsequent read or write (this is known as an address dependency), then these two memory accesses will be observed in program order. An address dependency exists even if the value read by the first read has no effect in changing the virtual address (as might be the case if the value returned is masked off before it is used, or if it had no effect on changing a predicted address value).
> This restriction applies only when the data value returned from one read is used as a data value to calculate the address of a subsequent read or write. This does not apply if the data value returned from one read is used to determine the condition code flags, and the values of the flags are used for condition code evaluation to determine the address of a subsequent reads, either through conditional execution or the evaluation of a branch. This is known as a control dependency.
> Where both a control and address dependency exist, the ordering behaviour is consistent with the address dependency.
C++'s memory_order_consume is unfortunately unimplemented by C++ compilers, and maybe unimplementable as spec'd. I'm working with interested folks in the committee to fix this situation: http://wg21.link/p0190r2
* wtf/Atomics.h:
(WTF::zeroWithConsumeDependency): a 0 which carries a dependency
(WTF::consumeLoad): pixie magic
2016-09-27 JF Bastien <jfbastien@apple.com>
Atomics.h on Windows: remove seq_cst hack
https://bugs.webkit.org/show_bug.cgi?id=162022
Reviewed by Mark Lam.
No need to force access to seq_cst, always inlining fixes the MSVC warning.
* wtf/Atomics.h:
(WTF::Atomic::compareExchangeWeak): remove seq_cst hack
(WTF::Atomic::compareExchangeStrong): remove seq_cst hack
(WTF::Atomic::exchangeAndAdd): remove seq_cst hack
(WTF::Atomic::exchange): remove seq_cst hack
2016-09-27 Don Olmstead <don.olmstead@am.sony.com>
[CMake] Use CMake to determine HAVE_* defines
https://bugs.webkit.org/show_bug.cgi?id=162368
Reviewed by Alex Christensen.
* wtf/Platform.h:
2016-09-20 Anders Carlsson <andersca@apple.com>
PlatformEvent::m_modifiers should be an OptionSet
https://bugs.webkit.org/show_bug.cgi?id=162326
Reviewed by Daniel Bates.
* wtf/OptionSet.h:
(WTF::OptionSet::operator!=):
(WTF::OptionSet::operator-):
2016-09-27 Jer Noble <jer.noble@apple.com>
Remove deprecated ENCRYPTED_MEDIA implementation.
https://bugs.webkit.org/show_bug.cgi?id=161010
Reviewed by Eric Carlson.
Remove ENABLE_ENCRYPTED_MEDIA.
* wtf/FeatureDefines.h:
2016-09-27 Youenn Fablet <youenn@apple.com>
[Fetch API] Use Ref<const T> in FetchBody::m_data variant
https://bugs.webkit.org/show_bug.cgi?id=162599
Reviewed by Alex Christensen.
Enabling to use DeferrableRefCounted<const T> by making m_refCount mutable.
* wtf/DeferrableRefCounted.h:
(WTF::DeferrableRefCountedBase::ref):
(WTF::DeferrableRefCountedBase::derefBase):
(WTF::DeferrableRefCounted::deref):
2016-09-26 Daniel Bates <dabates@apple.com>
Rename IOS_TEXT_AUTOSIZING to TEXT_AUTOSIZING
https://bugs.webkit.org/show_bug.cgi?id=162365
Reviewed by Simon Fraser.
* wtf/FeatureDefines.h:
2016-09-26 Benjamin Poulain <benjamin@webkit.org>
[JSC] Shrink the Math inline caches some more
https://bugs.webkit.org/show_bug.cgi?id=162485
Reviewed by Saam Barati.
* wtf/Bag.h:
Don't copy the arguments before initializing the nodes.
2016-09-26 Michael Catanzaro <mcatanzaro@igalia.com>
std::unique_ptr deleter functions should not check if pointer is null
https://bugs.webkit.org/show_bug.cgi?id=162558
Reviewed by Alex Christensen.
std::unique_ptr already does this before calling the deleter.
* wtf/efl/UniquePtrEfl.h:
* wtf/glib/GUniquePtr.h:
== Rolled over to ChangeLog-2016-09-26 ==