[webkit-changes] [91579] branches/safari-534.51-branch/Source/JavaScriptCore

Fri, 22 Jul 2011 11:28:40 -0700

Title: [91579] branches/safari-534.51-branch/Source/_javascript_Core

Diff

Modified: branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog (91578 => 91579)


--- branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-07-22 18:25:57 UTC (rev 91578)
+++ branches/safari-534.51-branch/Source/_javascript_Core/ChangeLog	2011-07-22 18:28:33 UTC (rev 91579)
@@ -1,3 +1,29 @@
+2011-07-22  Lucas Forschler  <[email protected]>
+
+    Merged 89614. 
+
+    2011-07-01  Oliver Hunt  <[email protected]>
+
+        GC sweep can occur before an object is completely initialised
+        https://bugs.webkit.org/show_bug.cgi?id=63836
+
+        Reviewed by Gavin Barraclough.
+
+        In rare cases it's possible for a GC sweep to occur while a
+        live, but not completely initialised object is on the stack.
+        In such a case we may incorrectly choose to mark it, even
+        though it has no children that need marking.
+
+        We resolve this by always zeroing out the structure of any
+        value returned from JSCell::operator new(), and making the
+        markstack tolerant of a null structure. 
+
+        * runtime/JSCell.h:
+        (JSC::JSCell::JSCell::~JSCell):
+        (JSC::JSCell::JSCell::operator new):
+        * runtime/Structure.h:
+        (JSC::MarkStack::internalAppend):
+
 2011-07-21  Lucas Forschler  <[email protected]>
 
     Merged 89614.

Modified: branches/safari-534.51-branch/Source/_javascript_Core/runtime/JSCell.h (91578 => 91579)


--- branches/safari-534.51-branch/Source/_javascript_Core/runtime/JSCell.h	2011-07-22 18:25:57 UTC (rev 91578)
+++ branches/safari-534.51-branch/Source/_javascript_Core/runtime/JSCell.h	2011-07-22 18:28:33 UTC (rev 91579)
@@ -183,6 +183,9 @@
 
     inline JSCell::~JSCell()
     {
+#if ENABLE(GC_VALIDATION)
+        m_structure.clear();
+#endif
     }
 
     inline Structure* JSCell::structure() const
@@ -411,12 +414,16 @@
 
     inline void* JSCell::operator new(size_t size, JSGlobalData* globalData)
     {
-        return globalData->heap.allocate(size);
+        JSCell* result = static_cast<JSCell*>(globalData->heap.allocate(size));
+        result->m_structure.clear();
+        return result;
     }
 
     inline void* JSCell::operator new(size_t size, ExecState* exec)
     {
-        return exec->heap()->allocate(size);
+        JSCell* result = static_cast<JSCell*>(exec->heap()->allocate(size));
+        result->m_structure.clear();
+        return result;
     }
 
 } // namespace JSC

Modified: branches/safari-534.51-branch/Source/_javascript_Core/runtime/Structure.h (91578 => 91579)


--- branches/safari-534.51-branch/Source/_javascript_Core/runtime/Structure.h	2011-07-22 18:25:57 UTC (rev 91578)
+++ branches/safari-534.51-branch/Source/_javascript_Core/runtime/Structure.h	2011-07-22 18:28:33 UTC (rev 91579)
@@ -303,7 +303,7 @@
         ASSERT(cell);
         if (Heap::testAndSetMarked(cell))
             return;
-        if (cell->structure()->typeInfo().type() >= CompoundType)
+        if (cell->structure() && cell->structure()->typeInfo().type() >= CompoundType)
             m_values.append(cell);
     }
 

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to