Skip to site navigation (Press enter)

[webkit-changes] [254523] trunk/Source/JavaScriptCore

drousso Tue, 14 Jan 2020 12:02:35 -0800

Title: [254523] trunk/Source/_javascript_Core

Revision: 254523
Author: [email protected]
Date: 2020-01-14 12:00:45 -0800 (Tue, 14 Jan 2020)

Log Message

Web Inspector: crash in DumpRenderTree at com.apple._javascript_Core: WTF::RefCountedBase::hasOneRef const
https://bugs.webkit.org/show_bug.cgi?id=206191
<rdar://problem/58415623>


Reviewed by Joseph Pecoraro.

* debugger/Debugger.cpp:
(JSC::Debugger::attach):
(GatherSourceProviders::GatherSourceProviders): Deleted.
(GatherSourceProviders::operator()): Deleted.
Use `RefPtr<SourceProvider>` instead of `SourceProvider*` in case the `FunctionExecutable`
is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider`
as well.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/debugger/Debugger.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (254522 => 254523)


--- trunk/Source/_javascript_Core/ChangeLog	2020-01-14 19:37:23 UTC (rev 254522)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-01-14 20:00:45 UTC (rev 254523)
@@ -1,3 +1,19 @@
+2020-01-14  Devin Rousso  <[email protected]>
+
+        Web Inspector: crash in DumpRenderTree at com.apple._javascript_Core: WTF::RefCountedBase::hasOneRef const
+        https://bugs.webkit.org/show_bug.cgi?id=206191
+        <rdar://problem/58415623>
+
+        Reviewed by Joseph Pecoraro.
+
+        * debugger/Debugger.cpp:
+        (JSC::Debugger::attach):
+        (GatherSourceProviders::GatherSourceProviders): Deleted.
+        (GatherSourceProviders::operator()): Deleted.
+        Use `RefPtr<SourceProvider>` instead of `SourceProvider*` in case the `FunctionExecutable`
+        is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider`
+        as well.
+
 2020-01-14  Saam Barati  <[email protected]>
 
         Add an option that enables/disables throwing away baseline JIT code

Modified: trunk/Source/_javascript_Core/debugger/Debugger.cpp (254522 => 254523)


--- trunk/Source/_javascript_Core/debugger/Debugger.cpp	2020-01-14 19:37:23 UTC (rev 254522)
+++ trunk/Source/_javascript_Core/debugger/Debugger.cpp	2020-01-14 20:00:45 UTC (rev 254523)
@@ -36,47 +36,6 @@
 #include "Protect.h"
 #include "VMEntryScope.h"
 
-namespace {
-
-using namespace JSC;
-
-struct GatherSourceProviders : public MarkedBlock::VoidFunctor {
-    // FIXME: This is a mutable field because this isn't a C++ lambda.
-    // https://bugs.webkit.org/show_bug.cgi?id=159644
-    mutable HashSet<SourceProvider*> sourceProviders;
-    JSGlobalObject* m_globalObject;
-
-    GatherSourceProviders(JSGlobalObject* globalObject)
-        : m_globalObject(globalObject) { }
-
-    IterationStatus operator()(HeapCell* heapCell, HeapCell::Kind kind) const
-    {
-        if (!isJSCellKind(kind))
-            return IterationStatus::Continue;
-        
-        JSCell* cell = static_cast<JSCell*>(heapCell);
-        
-        JSFunction* function = jsDynamicCast<JSFunction*>(cell->vm(), cell);
-        if (!function)
-            return IterationStatus::Continue;
-
-        if (function->scope()->globalObject() != m_globalObject)
-            return IterationStatus::Continue;
-
-        if (!function->executable()->isFunctionExecutable())
-            return IterationStatus::Continue;
-
-        if (function->isHostOrBuiltinFunction())
-            return IterationStatus::Continue;
-
-        sourceProviders.add(
-            jsCast<FunctionExecutable*>(function->executable())->source().provider());
-        return IterationStatus::Continue;
-    }
-};
-
-} // namespace
-
 namespace JSC {
 
 class DebuggerPausedScope {
@@ -157,14 +116,23 @@
 
     m_vm.setShouldBuildPCToCodeOriginMapping();
 
-    // Call sourceParsed because it will execute _javascript_ in the inspector.
-    GatherSourceProviders gatherSourceProviders(globalObject);
+    // Call `sourceParsed` after iterating because it will execute _javascript_ in Web Inspector.
+    HashSet<RefPtr<SourceProvider>> sourceProviders;
     {
         HeapIterationScope iterationScope(m_vm.heap);
-        m_vm.heap.objectSpace().forEachLiveCell(iterationScope, gatherSourceProviders);
+        m_vm.heap.objectSpace().forEachLiveCell(iterationScope, [&] (HeapCell* heapCell, HeapCell::Kind kind) {
+            if (isJSCellKind(kind)) {
+                auto* cell = static_cast<JSCell*>(heapCell);
+                if (auto* function = jsDynamicCast<JSFunction*>(cell->vm(), cell)) {
+                    if (function->scope()->globalObject() == globalObject && function->executable()->isFunctionExecutable() && !function->isHostOrBuiltinFunction())
+                        sourceProviders.add(jsCast<FunctionExecutable*>(function->executable())->source().provider());
+                }
+            }
+            return IterationStatus::Continue;
+        });
     }
-    for (auto* sourceProvider : gatherSourceProviders.sourceProviders)
-        sourceParsed(globalObject, sourceProvider, -1, String());
+    for (auto& sourceProvider : sourceProviders)
+        sourceParsed(globalObject, sourceProvider.get(), -1, nullString());
 }
 
 void Debugger::detach(JSGlobalObject* globalObject, ReasonForDetach reason)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes