[webkit-changes] [225352] trunk

[mark . lam]

Title: [225352] trunk

Revision

225352

Author

mark....@apple.com

Date

2017-11-30 14:51:59 -0800 (Thu, 30 Nov 2017)

Log Message

jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
https://bugs.webkit.org/show_bug.cgi?id=180219
<rdar://problem/35696536>

Reviewed by Filip Pizlo.

JSTests:

* stress/regress-180219.js: Added.

Source/_javascript_Core:

* jsc.cpp:
(functionFlashHeapAccess):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/jsc.cpp

Added Paths

• trunk/JSTests/stress/regress-180219.js

Diff

Modified: trunk/JSTests/ChangeLog (225351 => 225352)

--- trunk/JSTests/ChangeLog	2017-11-30 22:35:25 UTC (rev 225351)
+++ trunk/JSTests/ChangeLog	2017-11-30 22:51:59 UTC (rev 225352)
@@ -1,3 +1,13 @@
+2017-11-30  Mark Lam  <mark....@apple.com>
+
+        jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
+        https://bugs.webkit.org/show_bug.cgi?id=180219
+        <rdar://problem/35696536>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/regress-180219.js: Added.
+
 2017-11-30  Yusuke Suzuki  <utatane....@gmail.com>
 
         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t

Added: trunk/JSTests/stress/regress-180219.js (0 => 225352)

--- trunk/JSTests/stress/regress-180219.js	                        (rev 0)
+++ trunk/JSTests/stress/regress-180219.js	2017-11-30 22:51:59 UTC (rev 225352)
@@ -0,0 +1,3 @@
+//@ runDefault
+gc();
+flashHeapAccess({});

Modified: trunk/Source/_javascript_Core/ChangeLog (225351 => 225352)

--- trunk/Source/_javascript_Core/ChangeLog	2017-11-30 22:35:25 UTC (rev 225351)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-30 22:51:59 UTC (rev 225352)
@@ -1,3 +1,14 @@
+2017-11-30  Mark Lam  <mark....@apple.com>
+
+        jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
+        https://bugs.webkit.org/show_bug.cgi?id=180219
+        <rdar://problem/35696536>
+
+        Reviewed by Filip Pizlo.
+
+        * jsc.cpp:
+        (functionFlashHeapAccess):
+
 2017-11-30  Yusuke Suzuki  <utatane....@gmail.com>
 
         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t

Modified: trunk/Source/_javascript_Core/jsc.cpp (225351 => 225352)

--- trunk/Source/_javascript_Core/jsc.cpp	2017-11-30 22:35:25 UTC (rev 225351)
+++ trunk/Source/_javascript_Core/jsc.cpp	2017-11-30 22:51:59 UTC (rev 225352)
@@ -1720,12 +1720,15 @@
     VM& vm = exec->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
     
-    vm.heap.releaseAccess();
+    double sleepTimeMs = 0;
     if (exec->argumentCount() >= 1) {
-        double ms = exec->argument(0).toNumber(exec);
+        sleepTimeMs = exec->argument(0).toNumber(exec);
         RETURN_IF_EXCEPTION(scope, encodedJSValue());
-        sleep(Seconds::fromMilliseconds(ms));
     }
+
+    vm.heap.releaseAccess();
+    if (sleepTimeMs)
+        sleep(Seconds::fromMilliseconds(sleepTimeMs));
     vm.heap.acquireAccess();
     return JSValue::encode(jsUndefined());
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes