[webkit-changes] [WebKit/WebKit] 1d96c3: REGRESSION(278148@main): random crashes under JSC:...

Wed, 01 May 2024 13:00:59 -0700 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1d96c3185c84598869508e1ac51538952efb7912
      
https://github.com/WebKit/WebKit/commit/1d96c3185c84598869508e1ac51538952efb7912
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2024-05-01 (Wed, 01 May 2024)

  Changed paths:
    M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp
    M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h

  Log Message:
  -----------
  REGRESSION(278148@main): random crashes under 
JSC::WatchpointSet::fireAllWatchpoints
https://bugs.webkit.org/show_bug.cgi?id=273467
rdar://127346958

Reviewed by Justin Michaud, Keith Miller and Mark Lam.

PolymorphicAccessJITStubRoutine::invalidate clears StructureStubInfo, and this
may deref PolymorphicAccessJITStubRoutine itself held by InlineCacheHandler.
But at the same time, PolymorphicAccessJITStubRoutine is half-GC-managed, so 
this `invalidate` function can be called
when PolymorphicAccessJITStubRoutine's refCount is zero, and will be destroyed 
by GC.

So, in this patch,

1. We just clear WatchpointSet when PolymorphicAccessJITStubRoutine's refCount 
becomes zero.
2. Inside PolymorphicAccessJITStubRoutine::invalidate, we just capture 
WatchpointSet and fire them all instead of keeping 
PolymorphicAccessJITStubRoutine alive.

* Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp:
(JSC::PolymorphicAccessJITStubRoutine::invalidate):

Canonical link: https://commits.webkit.org/278223@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to