Cherry-pick 259548.690@safari-7615-branch (b05050e). https://bugs.web…

…kit.org/show_bug.cgi?id=255951 [JSC] MarkedVector::fill should register itself as a root https://bugs.webkit.org/show_bug.cgi?id=255951 rdar://108261913 Reviewed by Alexey Shvayka and Justin Michaud. 1. MarkedVector::fill is not registering itself as a strong root of GC. This patch fixes it with m_markSet->add. 2. Initialize buffer with empty value in MarkedVector::fill. This buffer can be scanned via GC when GC is invoked from a passed lambda. * JSTests/stress/marked-buffer-fill-should-be-gc-aware.js: Added. (foo): * Source/JavaScriptCore/llint/LLIntSlowPaths.cpp: (JSC::LLInt::handleVarargsCheckpoint): * Source/JavaScriptCore/runtime/ArgList.h: (JSC::MarkedVector::fill): Canonical link: https://commits.webkit.org/259548.690@safari-7615-branch
WebKit · Jul 28, 2023 · 0fe7013 · 0fe7013
1 parent a061038
commit 0fe7013
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/JSTests/stress/marked-buffer-fill-should-be-gc-aware.js b/JSTests/stress/marked-buffer-fill-should-be-gc-aware.js
@@ -0,0 +1,10 @@
+//@ runDefault("--slowPathAllocsBetweenGCs=10", "--jitPolicyScale=0")
+let a = new BigUint64Array(1000);
+
+function foo(a0) {
+  ~a0;
+}
+
+for (let i = 0; i < 1000; i++) {
+  foo.apply(null, a);
+}
diff --git a/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp b/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp
@@ -2384,7 +2384,7 @@ static void handleVarargsCheckpoint(VM& vm, CallFrame* callFrame, JSGlobalObject
     unsigned firstVarArg = bytecode.m_firstVarArg;
 
     MarkedArgumentBuffer args;
-    args.fill(argumentCountIncludingThis - 1, [&] (JSValue* buffer) {
+    args.fill(vm, argumentCountIncludingThis - 1, [&](JSValue* buffer) {
         loadVarargs(globalObject, buffer, callFrame->r(bytecode.m_arguments).jsValue(), firstVarArg, argumentCountIncludingThis - 1);
     });
     if (args.hasOverflowed()) {

diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h
@@ -205,14 +205,21 @@ class MarkedVector : public OverflowHandler, public MarkedVectorBase  {
     }
 
     template<typename Functor>
-    void fill(size_t count, const Functor& func)
+    void fill(VM& vm, size_t count, const Functor& func)
     {
         ASSERT(!m_size);
         ensureCapacity(count);
         if (OverflowHandler::hasOverflowed())
             return;
+        if (LIKELY(!m_markSet)) {
+            m_markSet = &vm.heap.markListSet();
+            m_markSet->add(this);
+        }
         m_size = count;
-        func(reinterpret_cast<JSValue*>(&slotFor(0)));
+        auto* buffer = reinterpret_cast<JSValue*>(&slotFor(0));
+        for (unsigned i = 0; i < count; ++i)
+            buffer[i] = JSValue();
+        func(buffer);
     }
 
 private: