Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 1d96c3185c84598869508e1ac51538952efb7912 https://github.com/WebKit/WebKit/commit/1d96c3185c84598869508e1ac51538952efb7912 Author: Yusuke Suzuki <ysuz...@apple.com> Date: 2024-05-01 (Wed, 01 May 2024)
Changed paths: M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h Log Message: ----------- REGRESSION(278148@main): random crashes under JSC::WatchpointSet::fireAllWatchpoints https://bugs.webkit.org/show_bug.cgi?id=273467 rdar://127346958 Reviewed by Justin Michaud, Keith Miller and Mark Lam. PolymorphicAccessJITStubRoutine::invalidate clears StructureStubInfo, and this may deref PolymorphicAccessJITStubRoutine itself held by InlineCacheHandler. But at the same time, PolymorphicAccessJITStubRoutine is half-GC-managed, so this `invalidate` function can be called when PolymorphicAccessJITStubRoutine's refCount is zero, and will be destroyed by GC. So, in this patch, 1. We just clear WatchpointSet when PolymorphicAccessJITStubRoutine's refCount becomes zero. 2. Inside PolymorphicAccessJITStubRoutine::invalidate, we just capture WatchpointSet and fire them all instead of keeping PolymorphicAccessJITStubRoutine alive. * Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp: (JSC::PolymorphicAccessJITStubRoutine::invalidate): Canonical link: https://commits.webkit.org/278223@main To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes