[webkit-changes] [208426] trunk/Source/JavaScriptCore

Tue, 08 Nov 2016 18:49:47 -0800

Title: [208426] trunk/Source/_javascript_Core
Revision
208426
Author
[email protected]
Date
2016-11-08 18:50:05 -0800 (Tue, 08 Nov 2016)

Log Message

REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache
https://bugs.webkit.org/show_bug.cgi?id=164433

Patch by Saam Barati <[email protected]> on 2016-11-08
Reviewed by Mark Lam.

Clearing the HasOwnPropertyCache will call deref() on the StringImpls
in the cache. We were doing this from the collector thread, which is
not allowed. It must be done from the mutator thread. We now clear the
cache in Heap::finalize() which happens before the mutator begins
executing JS after a collection happens.

* heap/Heap.cpp:
(JSC::Heap::collectInThread):
(JSC::Heap::finalize):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (208425 => 208426)


--- trunk/Source/_javascript_Core/ChangeLog	2016-11-09 02:02:37 UTC (rev 208425)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-11-09 02:50:05 UTC (rev 208426)
@@ -1,3 +1,20 @@
+2016-11-08  Saam Barati  <[email protected]>
+
+        REGRESSION: Crashes in StringImpl destructor during GC when clearing the HasOwnPropertyCache
+        https://bugs.webkit.org/show_bug.cgi?id=164433
+
+        Reviewed by Mark Lam.
+
+        Clearing the HasOwnPropertyCache will call deref() on the StringImpls
+        in the cache. We were doing this from the collector thread, which is
+        not allowed. It must be done from the mutator thread. We now clear the
+        cache in Heap::finalize() which happens before the mutator begins
+        executing JS after a collection happens.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::collectInThread):
+        (JSC::Heap::finalize):
+
 2016-11-05  Konstantin Tokarev  <[email protected]>
 
         Fixed compilation of LLInt with MinGW

Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (208425 => 208426)


--- trunk/Source/_javascript_Core/heap/Heap.cpp	2016-11-09 02:02:37 UTC (rev 208425)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp	2016-11-09 02:50:05 UTC (rev 208426)
@@ -1130,9 +1130,6 @@
     prepareForMarking();
     flushWriteBarrierBuffer();
         
-    if (HasOwnPropertyCache* cache = vm()->hasOwnPropertyCache())
-        cache->clear();
-        
     markRoots(gcStartTime);
         
     if (m_verifier) {
@@ -1470,6 +1467,8 @@
     deleteUnmarkedCompiledCode();
     deleteSourceProviderCaches();
     sweepLargeAllocations();
+    if (HasOwnPropertyCache* cache = vm()->hasOwnPropertyCache())
+        cache->clear();
 }
 
 Heap::Ticket Heap::requestCollection(Optional<CollectionScope> scope)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to