Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: b5808ff792b03d7cfd54a963340fdbb0ab4ec1b9
https://github.com/WebKit/WebKit/commit/b5808ff792b03d7cfd54a963340fdbb0ab4ec1b9
Author: Mark Lam <[email protected]>
Date: 2025-12-05 (Fri, 05 Dec 2025)
Changed paths:
M Source/JavaScriptCore/heap/Heap.cpp
M Source/JavaScriptCore/heap/Heap.h
Log Message:
-----------
GC sweeping should not be done in the End phase.
https://bugs.webkit.org/show_bug.cgi?id=303634
rdar://165681233
Reviewed by Dan Hecht and Keith Miller.
That's because the end phase may be run on the GC thread instead of the mutator
thread.
Sweeping needs to be done on the mutator thread because AtomStringImpl
destruction needs
to unregistered from the mutator's thread local AtomStringTable. This can only
be done
on the mutator thread.
303051@main introduced eager synchronous sweeping in the GC End phase if
there's a critical
memory condition. We'll fix this by changing this to do the critical memory
check in
Heap::shouldSweepSynchronously() instead, and simply let Heap::finalize() do
the sweeping
in the mutator thread instead (which it can already do).
Added a RELEASE_ASSERT in Heap::sweepSynchronously() to verify that the thread
is holding
the API lock (as a proxy for identifying that it is the mutator thread). This
should
help catch this issue with existing tests to the extent possible. The bug does
rely on
a race condition that is not easily reproducible.
* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::sweepSynchronously):
(JSC::Heap::runEndPhase):
(JSC::Heap::shouldSweepSynchronously):
* Source/JavaScriptCore/heap/Heap.h:
Canonical link: https://commits.webkit.org/304020@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
