Title: [255009] branches/safari-609-branch/Source/_javascript_Core
- Revision
- 255009
- Author
- [email protected]
- Date
- 2020-01-23 13:43:31 -0800 (Thu, 23 Jan 2020)
Log Message
Cherry-pick r254523. rdar://problem/58606225
Web Inspector: crash in DumpRenderTree at com.apple._javascript_Core: WTF::RefCountedBase::hasOneRef const
https://bugs.webkit.org/show_bug.cgi?id=206191
<rdar://problem/58415623>
Reviewed by Joseph Pecoraro.
* debugger/Debugger.cpp:
(JSC::Debugger::attach):
(GatherSourceProviders::GatherSourceProviders): Deleted.
(GatherSourceProviders::operator()): Deleted.
Use `RefPtr<SourceProvider>` instead of `SourceProvider*` in case the `FunctionExecutable`
is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider`
as well.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254523 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/_javascript_Core/ChangeLog (255008 => 255009)
--- branches/safari-609-branch/Source/_javascript_Core/ChangeLog 2020-01-23 21:43:29 UTC (rev 255008)
+++ branches/safari-609-branch/Source/_javascript_Core/ChangeLog 2020-01-23 21:43:31 UTC (rev 255009)
@@ -1,3 +1,40 @@
+2020-01-23 Russell Epstein <[email protected]>
+
+ Cherry-pick r254523. rdar://problem/58606225
+
+ Web Inspector: crash in DumpRenderTree at com.apple._javascript_Core: WTF::RefCountedBase::hasOneRef const
+ https://bugs.webkit.org/show_bug.cgi?id=206191
+ <rdar://problem/58415623>
+
+ Reviewed by Joseph Pecoraro.
+
+ * debugger/Debugger.cpp:
+ (JSC::Debugger::attach):
+ (GatherSourceProviders::GatherSourceProviders): Deleted.
+ (GatherSourceProviders::operator()): Deleted.
+ Use `RefPtr<SourceProvider>` instead of `SourceProvider*` in case the `FunctionExecutable`
+ is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider`
+ as well.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@254523 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-01-14 Devin Rousso <[email protected]>
+
+ Web Inspector: crash in DumpRenderTree at com.apple._javascript_Core: WTF::RefCountedBase::hasOneRef const
+ https://bugs.webkit.org/show_bug.cgi?id=206191
+ <rdar://problem/58415623>
+
+ Reviewed by Joseph Pecoraro.
+
+ * debugger/Debugger.cpp:
+ (JSC::Debugger::attach):
+ (GatherSourceProviders::GatherSourceProviders): Deleted.
+ (GatherSourceProviders::operator()): Deleted.
+ Use `RefPtr<SourceProvider>` instead of `SourceProvider*` in case the `FunctionExecutable`
+ is destroyed after the `SourceProvider*` is saved, which would destroy the `SourceProvider`
+ as well.
+
2020-01-21 Alan Coon <[email protected]>
Cherry-pick r254632. rdar://problem/58764714
Modified: branches/safari-609-branch/Source/_javascript_Core/debugger/Debugger.cpp (255008 => 255009)
--- branches/safari-609-branch/Source/_javascript_Core/debugger/Debugger.cpp 2020-01-23 21:43:29 UTC (rev 255008)
+++ branches/safari-609-branch/Source/_javascript_Core/debugger/Debugger.cpp 2020-01-23 21:43:31 UTC (rev 255009)
@@ -36,47 +36,6 @@
#include "Protect.h"
#include "VMEntryScope.h"
-namespace {
-
-using namespace JSC;
-
-struct GatherSourceProviders : public MarkedBlock::VoidFunctor {
- // FIXME: This is a mutable field because this isn't a C++ lambda.
- // https://bugs.webkit.org/show_bug.cgi?id=159644
- mutable HashSet<SourceProvider*> sourceProviders;
- JSGlobalObject* m_globalObject;
-
- GatherSourceProviders(JSGlobalObject* globalObject)
- : m_globalObject(globalObject) { }
-
- IterationStatus operator()(HeapCell* heapCell, HeapCell::Kind kind) const
- {
- if (!isJSCellKind(kind))
- return IterationStatus::Continue;
-
- JSCell* cell = static_cast<JSCell*>(heapCell);
-
- JSFunction* function = jsDynamicCast<JSFunction*>(cell->vm(), cell);
- if (!function)
- return IterationStatus::Continue;
-
- if (function->scope()->globalObject() != m_globalObject)
- return IterationStatus::Continue;
-
- if (!function->executable()->isFunctionExecutable())
- return IterationStatus::Continue;
-
- if (function->isHostOrBuiltinFunction())
- return IterationStatus::Continue;
-
- sourceProviders.add(
- jsCast<FunctionExecutable*>(function->executable())->source().provider());
- return IterationStatus::Continue;
- }
-};
-
-} // namespace
-
namespace JSC {
class DebuggerPausedScope {
@@ -157,14 +116,23 @@
m_vm.setShouldBuildPCToCodeOriginMapping();
- // Call sourceParsed because it will execute _javascript_ in the inspector.
- GatherSourceProviders gatherSourceProviders(globalObject);
+ // Call `sourceParsed` after iterating because it will execute _javascript_ in Web Inspector.
+ HashSet<RefPtr<SourceProvider>> sourceProviders;
{
HeapIterationScope iterationScope(m_vm.heap);
- m_vm.heap.objectSpace().forEachLiveCell(iterationScope, gatherSourceProviders);
+ m_vm.heap.objectSpace().forEachLiveCell(iterationScope, [&] (HeapCell* heapCell, HeapCell::Kind kind) {
+ if (isJSCellKind(kind)) {
+ auto* cell = static_cast<JSCell*>(heapCell);
+ if (auto* function = jsDynamicCast<JSFunction*>(cell->vm(), cell)) {
+ if (function->scope()->globalObject() == globalObject && function->executable()->isFunctionExecutable() && !function->isHostOrBuiltinFunction())
+ sourceProviders.add(jsCast<FunctionExecutable*>(function->executable())->source().provider());
+ }
+ }
+ return IterationStatus::Continue;
+ });
}
- for (auto* sourceProvider : gatherSourceProviders.sourceProviders)
- sourceParsed(globalObject, sourceProvider, -1, String());
+ for (auto& sourceProvider : sourceProviders)
+ sourceParsed(globalObject, sourceProvider.get(), -1, nullString());
}
void Debugger::detach(JSGlobalObject* globalObject, ReasonForDetach reason)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
