[webkit-changes] [198477] trunk/Source/JavaScriptCore

[joepeck]

Title: [198477] trunk/Source/_javascript_Core

Revision

198477

Author

joep...@webkit.org

Date

2016-03-20 15:42:32 -0700 (Sun, 20 Mar 2016)

Log Message

Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
https://bugs.webkit.org/show_bug.cgi?id=155678
<rdar://problem/25251439>

Reviewed by Filip Pizlo.

This fixes a crash that we saw with GuardMalloc. If the Plan was
Cancelled it may not be safe to access the VM. If the Plan was
cancelled we are just going to bail anyways, so keep the ASSERT but
short-circuit if the plan was Cancelled.

* dfg/DFGWorklist.cpp:
(JSC::DFG::Worklist::runThread):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (198476 => 198477)

--- trunk/Source/_javascript_Core/ChangeLog	2016-03-20 20:08:59 UTC (rev 198476)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-03-20 22:42:32 UTC (rev 198477)
@@ -1,3 +1,19 @@
+2016-03-20  Joseph Pecoraro  <pecor...@apple.com>
+
+        Crash on DFG::WorkList thread in JSC::Heap::isCollecting for destroyed Web Worker
+        https://bugs.webkit.org/show_bug.cgi?id=155678
+        <rdar://problem/25251439>
+
+        Reviewed by Filip Pizlo.
+
+        This fixes a crash that we saw with GuardMalloc. If the Plan was
+        Cancelled it may not be safe to access the VM. If the Plan was
+        cancelled we are just going to bail anyways, so keep the ASSERT but
+        short-circuit if the plan was Cancelled.
+
+        * dfg/DFGWorklist.cpp:
+        (JSC::DFG::Worklist::runThread):
+
 2016-03-20  Dan Bernstein  <m...@apple.com>
 
         Update build settings

Modified: trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp (198476 => 198477)

--- trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp	2016-03-20 20:08:59 UTC (rev 198476)
+++ trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp	2016-03-20 22:42:32 UTC (rev 198477)
@@ -367,7 +367,7 @@
         
             RELEASE_ASSERT(!plan->vm.heap.isCollecting());
             plan->compileInThread(longLivedState, data);
-            RELEASE_ASSERT(!plan->vm.heap.isCollecting());
+            RELEASE_ASSERT(plan->stage == Plan::Cancelled || !plan->vm.heap.isCollecting());
             
             {
                 LockHolder locker(m_lock);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes