Extra asserts for testing in prod

Author: justinmichaud

Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -318,8 +318,9 @@ void MarkedBlock::Handle::removeFromDirectory()
 
 void MarkedBlock::Handle::didAddToDirectory(BlockDirectory* directory, unsigned index)
 {
-    ASSERT(m_index == std::numeric_limits<unsigned>::max());
-    ASSERT(!m_directory);
+    RELEASE_ASSERT(m_index == std::numeric_limits<unsigned>::max());
+    RELEASE_ASSERT(WTF::opaque(!m_directory));
+    RELEASE_ASSERT(WTF::opaque(directory));
 
     RELEASE_ASSERT(directory->subspace()->alignedMemoryAllocator() == m_alignedMemoryAllocator);
 
@@ -348,21 +349,19 @@ void MarkedBlock::Handle::didAddToDirectory(BlockDirectory* directory, unsigned
 
 void MarkedBlock::Handle::didRemoveFromDirectory()
 {
-    ASSERT(m_index != std::numeric_limits<unsigned>::max());
-    ASSERT(m_directory);
+    RELEASE_ASSERT(m_index != std::numeric_limits<unsigned>::max());
+    RELEASE_ASSERT(m_directory);
 
     m_index = std::numeric_limits<unsigned>::max();
     m_directory = nullptr;
     blockFooter().m_subspace = nullptr;
 }
 
-#if ASSERT_ENABLED
 void MarkedBlock::assertValidCell(VM& vm, HeapCell* cell) const
 {
     RELEASE_ASSERT(&vm == &this->vm());
     RELEASE_ASSERT(const_cast<MarkedBlock*>(this)->handle().cellAlign(cell) == cell);
 }
-#endif // ASSERT_ENABLED
 
 void MarkedBlock::Handle::dumpState(PrintStream& out)
 {
@@ -488,4 +487,3 @@ void printInternal(PrintStream& out, JSC::MarkedBlock::Handle::SweepMode mode)
 }
 
 } // namespace WTF
-

Source/JavaScriptCore/heap/MarkedBlock.h

@@ -354,11 +354,7 @@ class MarkedBlock {
 
     bool hasAnyMarked() const;
     void noteMarked();
-#if ASSERT_ENABLED
     void assertValidCell(VM&, HeapCell*) const;
-#else
-    void assertValidCell(VM&, HeapCell*) const { }
-#endif
 
     WeakSet& weakSet();
 

Source/JavaScriptCore/heap/PreciseAllocation.cpp

@@ -253,14 +253,11 @@ void PreciseAllocation::dump(PrintStream& out) const
     out.print(RawPointer(this), ":(cell at ", RawPointer(cell()), " with size ", m_cellSize, " and attributes ", m_attributes, ")");
 }
 
-#if ASSERT_ENABLED
 void PreciseAllocation::assertValidCell(VM& vm, HeapCell* cell) const
 {
-    ASSERT(&vm == &this->vm());
-    ASSERT(cell == this->cell());
-    ASSERT(m_hasValidCell);
+    RELEASE_ASSERT(&vm == &this->vm());
+    RELEASE_ASSERT(cell == this->cell());
+    RELEASE_ASSERT(m_hasValidCell);
 }
-#endif
 
 } // namespace JSC
-

Source/JavaScriptCore/heap/PreciseAllocation.h

@@ -139,11 +139,7 @@ class PreciseAllocation : public PackedRawSentinelNode<PreciseAllocation> {
 
     void noteMarked() { }
 
-#if ASSERT_ENABLED
     void assertValidCell(VM&, HeapCell*) const;
-#else
-    void assertValidCell(VM&, HeapCell*) const { }
-#endif
 
     void sweep();
 
@@ -182,4 +178,3 @@ inline void* PreciseAllocation::basePointer() const
 }
 
 } // namespace JSC
-

Source/JavaScriptCore/heap/SlotVisitor.cpp

@@ -235,7 +235,7 @@ void SlotVisitor::appendHiddenSlow(JSCell* cell, Dependency dependency)
 
 ALWAYS_INLINE void SlotVisitor::appendHiddenSlowImpl(JSCell* cell, Dependency dependency)
 {
-    ASSERT(!m_isCheckingForDefaultMarkViolation);
+    RELEASE_ASSERT(!m_isCheckingForDefaultMarkViolation);
 
 #if ENABLE(GC_VALIDATION)
     validate(cell);
@@ -274,14 +274,14 @@ void SlotVisitor::appendToMarkStack(JSCell* cell)
 template<typename ContainerType>
 ALWAYS_INLINE void SlotVisitor::appendToMarkStack(ContainerType& container, JSCell* cell)
 {
-    ASSERT(m_heap.isMarked(cell));
-#if CPU(X86_64)
+    RELEASE_ASSERT(m_heap.isMarked(cell));
+
     if (UNLIKELY(Options::dumpZappedCellCrashData())) {
         if (UNLIKELY(cell->isZapped()))
             reportZappedCellAndCrash(m_heap, cell);
     }
-#endif
-    ASSERT(!cell->isZapped());
+
+    RELEASE_ASSERT(!cell->isZapped());
 
     container.noteMarked();
 
@@ -295,7 +295,7 @@ void SlotVisitor::markAuxiliary(const void* base)
 {
     HeapCell* cell = bitwise_cast<HeapCell*>(base);
 
-    ASSERT(cell->heap() == heap());
+    RELEASE_ASSERT(cell->heap() == heap());
 
     if (Heap::testAndSetMarked(m_markingVersion, cell))
         return;
@@ -344,7 +344,7 @@ class SetCurrentCellScope {
 
 ALWAYS_INLINE void SlotVisitor::visitChildren(const JSCell* cell)
 {
-    ASSERT(m_heap.isMarked(cell));
+    RELEASE_ASSERT(m_heap.isMarked(cell));
 
     SetCurrentCellScope currentCellScope(*this, cell);
 
@@ -380,7 +380,6 @@ ALWAYS_INLINE void SlotVisitor::visitChildren(const JSCell* cell)
     default:
         // FIXME: This could be so much better.
         // https://bugs.webkit.org/show_bug.cgi?id=162462
-#if CPU(X86_64)
         if (UNLIKELY(Options::dumpZappedCellCrashData())) {
             Structure* structure = cell->structure();
             if (LIKELY(structure)) {
@@ -390,7 +389,6 @@ ALWAYS_INLINE void SlotVisitor::visitChildren(const JSCell* cell)
             }
             reportZappedCellAndCrash(m_heap, const_cast<JSCell*>(cell));
         }
-#endif
         cell->methodTable()->visitChildren(const_cast<JSCell*>(cell), *this);
         break;
     }

Source/JavaScriptCore/runtime/JSCast.h

@@ -33,7 +33,7 @@ template<typename To, typename From>
 inline To jsCast(From* from)
 {
     static_assert(std::is_base_of<JSCell, typename std::remove_pointer<To>::type>::value && std::is_base_of<JSCell, typename std::remove_pointer<From>::type>::value, "JS casting expects that the types you are casting to/from are subclasses of JSCell");
-#if (ASSERT_ENABLED || ENABLE(SECURITY_ASSERTIONS)) && CPU(X86_64)
+#if (ASSERT_ENABLED || ENABLE(SECURITY_ASSERTIONS))
     if (from && !from->JSCell::inherits(std::remove_pointer<To>::type::info()))
         reportZappedCellAndCrash(*from->JSCell::heap(), from);
 #else

Source/JavaScriptCore/runtime/JSCell.cpp

@@ -259,7 +259,6 @@ void JSCellLock::unlockSlow()
     IndexingTypeLockAlgorithm::unlockSlow(*lock);
 }
 
-#if CPU(X86_64)
 NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCrash(Heap& heap, const JSCell* cell)
 {
     MarkedBlock::Handle* foundBlockHandle = nullptr;
@@ -336,6 +335,5 @@ NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCras
 
     CRASH_WITH_INFO(cellAddress, headerWord, zapReasonAndMore, subspaceHash, cellSize, foundBlock, variousState);
 }
-#endif // CPU(X86_64)
 
 } // namespace JSC

Source/JavaScriptCore/runtime/JSCell.h

@@ -297,8 +297,6 @@ inline auto subspaceForConcurrently(VM& vm)
     return Type::template subspaceFor<Type, SubspaceAccess::Concurrently>(vm);
 }
 
-#if CPU(X86_64)
 JS_EXPORT_PRIVATE NEVER_INLINE NO_RETURN_DUE_TO_CRASH NOT_TAIL_CALLED void reportZappedCellAndCrash(Heap&, const JSCell*);
-#endif
 
 } // namespace JSC

Source/JavaScriptCore/runtime/JSCellInlines.h

@@ -52,7 +52,7 @@ namespace JSC {
 inline JSCell::JSCell(CreatingEarlyCellTag)
     : m_cellState(CellState::DefinitelyWhite)
 {
-    ASSERT(!isCompilationThread());
+    RELEASE_ASSERT(!isCompilationThread());
 }
 
 inline JSCell::JSCell(VM&, Structure* structure)
@@ -62,7 +62,7 @@ inline JSCell::JSCell(VM&, Structure* structure)
     , m_flags(structure->typeInfo().inlineTypeFlags())
     , m_cellState(CellState::DefinitelyWhite)
 {
-    ASSERT(!isCompilationThread());
+    RELEASE_ASSERT(!isCompilationThread());
 
     // Note that in the constructor initializer list above, we are only using values
     // inside structure but not necessarily the structure pointer itself. All these
@@ -84,18 +84,18 @@ inline void JSCell::finishCreation(VM& vm)
     // to make sure that none of our stores sink below here.
     vm.mutatorFence();
 #if ENABLE(GC_VALIDATION)
-    ASSERT(vm.isInitializingObject());
+    RELEASE_ASSERT(vm.isInitializingObject());
     vm.setInitializingObjectClass(0);
 #else
     UNUSED_PARAM(vm);
 #endif
-    ASSERT(m_structureID);
+    RELEASE_ASSERT(m_structureID);
 }
 
 inline void JSCell::finishCreation(VM& vm, Structure* structure, CreatingEarlyCellTag)
 {
 #if ENABLE(GC_VALIDATION)
-    ASSERT(vm.isInitializingObject());
+    RELEASE_ASSERT(vm.isInitializingObject());
     vm.setInitializingObjectClass(0);
     if (structure) {
 #endif
@@ -109,7 +109,7 @@ inline void JSCell::finishCreation(VM& vm, Structure* structure, CreatingEarlyCe
     UNUSED_PARAM(vm);
 #endif
     // Very first set of allocations won't have a real structure.
-    ASSERT(m_structureID || !vm.structureStructure);
+    RELEASE_ASSERT(m_structureID || !vm.structureStructure);
 }
 
 inline JSType JSCell::type() const
@@ -170,15 +170,15 @@ inline Allocator allocatorForConcurrently(VM& vm, size_t allocationSize, Allocat
 template<typename T, AllocationFailureMode failureMode>
 ALWAYS_INLINE void* tryAllocateCellHelper(VM& vm, size_t size, GCDeferralContext* deferralContext)
 {
-    ASSERT(deferralContext || vm.heap.isDeferred() || !DisallowGC::isInEffectOnCurrentThread());
-    ASSERT(size >= sizeof(T));
+    RELEASE_ASSERT(deferralContext || vm.heap.isDeferred() || !DisallowGC::isInEffectOnCurrentThread());
+    RELEASE_ASSERT(size >= sizeof(T));
     JSCell* result = static_cast<JSCell*>(subspaceFor<T>(vm)->allocate(vm, size, deferralContext, failureMode));
     if constexpr (failureMode == AllocationFailureMode::ReturnNull) {
         if (!result)
             return nullptr;
     }
 #if ENABLE(GC_VALIDATION)
-    ASSERT(!vm.isInitializingObject());
+    RELEASE_ASSERT(!vm.isInitializingObject());
     vm.setInitializingObjectClass(T::info());
 #endif
     result->clearStructure();
@@ -298,16 +298,16 @@ inline bool JSCell::isAPIValueWrapper() const
 
 ALWAYS_INLINE void JSCell::setStructure(VM& vm, Structure* structure)
 {
-    ASSERT(structure->classInfoForCells() == this->structure()->classInfoForCells());
-    ASSERT(!this->structure()
+    RELEASE_ASSERT(structure->classInfoForCells() == this->structure()->classInfoForCells());
+    RELEASE_ASSERT(!this->structure()
         || this->structure()->transitionWatchpointSetHasBeenInvalidated()
         || structure->id().decode() == structure);
     m_structureID = structure->id();
     m_flags = TypeInfo::mergeInlineTypeFlags(structure->typeInfo().inlineTypeFlags(), m_flags);
     m_type = structure->typeInfo().type();
     IndexingType newIndexingType = structure->indexingModeIncludingHistory();
     if (m_indexingTypeAndMisc != newIndexingType) {
-        ASSERT(!(newIndexingType & ~AllArrayTypesAndHistory));
+        RELEASE_ASSERT(!(newIndexingType & ~AllArrayTypesAndHistory));
         for (;;) {
             IndexingType oldValue = m_indexingTypeAndMisc;
             IndexingType newValue = (oldValue & ~AllArrayTypesAndHistory) | structure->indexingModeIncludingHistory();
@@ -321,10 +321,8 @@ ALWAYS_INLINE void JSCell::setStructure(VM& vm, Structure* structure)
 inline const MethodTable* JSCell::methodTable() const
 {
     Structure* structure = this->structure();
-#if ASSERT_ENABLED
     if (Structure* rootStructure = structure->structure())
-        ASSERT(rootStructure == rootStructure->structure());
-#endif
+        RELEASE_ASSERT(rootStructure == rootStructure->structure());
     return &structure->classInfoForCells()->methodTable;
 }
 
@@ -362,7 +360,7 @@ ALWAYS_INLINE const ClassInfo* JSCell::classInfo() const
     // destructing the object. The GC thread or JIT threads, unlike the mutator thread, are able to access classInfo
     // independent of whether the mutator thread is sweeping or not. Hence, we also check for !currentThreadIsHoldingAPILock()
     // to allow the GC thread or JIT threads to pass this assertion.
-    ASSERT(vm().heap.mutatorState() != MutatorState::Sweeping || !vm().currentThreadIsHoldingAPILock());
+    RELEASE_ASSERT(vm().heap.mutatorState() != MutatorState::Sweeping || !vm().currentThreadIsHoldingAPILock());
     return structure()->classInfoForCells();
 }
 

Source/JavaScriptCore/runtime/OptionsList.h

@@ -213,14 +213,14 @@ bool canUseWebAssemblyFastMemory();
     v(Double, gcIncrementBytes, 10000, Normal, nullptr) \
     v(Double, gcIncrementMaxBytes, 100000, Normal, nullptr) \
     v(Double, gcIncrementScale, 0, Normal, nullptr) \
-    v(Bool, scribbleFreeCells, false, Normal, nullptr) \
+    v(Bool, scribbleFreeCells, true, Normal, nullptr) \
     v(Double, sizeClassProgression, 1.4, Normal, nullptr) \
     v(Unsigned, preciseAllocationCutoff, 100000, Normal, nullptr) \
     v(Bool, dumpSizeClasses, false, Normal, nullptr) \
     v(Bool, useBumpAllocator, true, Normal, nullptr) \
-    v(Bool, stealEmptyBlocksFromOtherAllocators, true, Normal, nullptr) \
+    v(Bool, stealEmptyBlocksFromOtherAllocators, false, Normal, nullptr) \
     v(Bool, eagerlyUpdateTopCallFrame, false, Normal, nullptr) \
-    v(Bool, dumpZappedCellCrashData, false, Normal, nullptr) \
+    v(Bool, dumpZappedCellCrashData, true, Normal, nullptr) \
     \
     v(Bool, useOSREntryToDFG, true, Normal, nullptr) \
     v(Bool, useOSREntryToFTL, true, Normal, nullptr) \
@@ -349,9 +349,9 @@ bool canUseWebAssemblyFastMemory();
     v(Bool, forceWeakRandomSeed, false, Normal, nullptr) \
     v(Unsigned, forcedWeakRandomSeed, 0, Normal, nullptr) \
     \
-    v(Bool, useZombieMode, false, Normal, "debugging option to scribble over dead objects with 0xbadbeef0") \
+    v(Bool, useZombieMode, true, Normal, "debugging option to scribble over dead objects with 0xbadbeef0") \
     v(Bool, useImmortalObjects, false, Normal, "debugging option to keep all objects alive forever") \
-    v(Bool, sweepSynchronously, false, Normal, "debugging option to sweep all dead objects synchronously at GC end before resuming mutator") \
+    v(Bool, sweepSynchronously, true, Normal, "debugging option to sweep all dead objects synchronously at GC end before resuming mutator") \
     v(Unsigned, maxSingleAllocationSize, 0, Configurable, "debugging option to limit individual allocations to a max size (0 = limit not set, N = limit size in bytes)") \
     \
     v(GCLogLevel, logGC, GCLogging::None, Normal, "debugging option to log GC activity (0 = None, 1 = Basic, 2 = Verbose)") \