Title: [95308] trunk/Source/_javascript_Core
- Revision
- 95308
- Author
- fpi...@apple.com
- Date
- 2011-09-16 11:43:25 -0700 (Fri, 16 Sep 2011)
Log Message
REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
using Domino's online ordering
https://bugs.webkit.org/show_bug.cgi?id=68220
Reviewed by Oliver Hunt.
Weak handle processing can result in new objects being marked, which
results in new WeakReferencesHarvesters being added. But weak
reference harvesters are only processed before weak handle processing,
so there's the risk that a weak reference harvester will persist
until the next collection, by which time it may have been deleted.
* heap/Heap.cpp:
(JSC::Heap::markRoots):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (95307 => 95308)
--- trunk/Source/_javascript_Core/ChangeLog 2011-09-16 18:32:01 UTC (rev 95307)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-09-16 18:43:25 UTC (rev 95308)
@@ -1,3 +1,20 @@
+2011-09-16 Filip Pizlo <fpi...@apple.com>
+
+ REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences
+ using Domino's online ordering
+ https://bugs.webkit.org/show_bug.cgi?id=68220
+
+ Reviewed by Oliver Hunt.
+
+ Weak handle processing can result in new objects being marked, which
+ results in new WeakReferencesHarvesters being added. But weak
+ reference harvesters are only processed before weak handle processing,
+ so there's the risk that a weak reference harvester will persist
+ until the next collection, by which time it may have been deleted.
+
+ * heap/Heap.cpp:
+ (JSC::Heap::markRoots):
+
2011-09-16 Csaba Osztrogonác <o...@webkit.org>
REGRESSION(r95201): It made two tests fail
Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (95307 => 95308)
--- trunk/Source/_javascript_Core/heap/Heap.cpp 2011-09-16 18:32:01 UTC (rev 95307)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp 2011-09-16 18:43:25 UTC (rev 95308)
@@ -586,8 +586,6 @@
m_handleStack.visit(heapRootVisitor);
visitor.drain();
- harvestWeakReferences();
-
// Weak handles must be marked last, because their owners use the set of
// opaque roots to determine reachability.
int lastOpaqueRootCount;
@@ -598,6 +596,10 @@
// If the set of opaque roots has grown, more weak handles may have become reachable.
} while (lastOpaqueRootCount != visitor.opaqueRootCount());
+ // Need to call this here because weak handle processing could add weak
+ // reference harvesters.
+ harvestWeakReferences();
+
visitor.reset();
m_operationInProgress = NoOperation;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
