Changeset 77277 in webkit


Ignore:
Timestamp:
Feb 1, 2011 12:44:22 PM (13 years ago)
Author:
ggaren@apple.com
Message:

2011-02-01 Geoffrey Garen <ggaren@apple.com>

Reviewed by Oliver Hunt.

REGRESSION(77082): GC-related crashes seen: on WebKit2 bot; on GTK 32bit
bot; loading trac pages; typing in search field
https://bugs.webkit.org/show_bug.cgi?id=53519


The crashes were all caused by failure to run an object's destructor.

  • runtime/CollectorHeapIterator.h: (JSC::ObjectIterator::ObjectIterator): Don't skip forward upon construction. The iterator class used to do that when it was designed for prior-to-beginning initialization. I forgot to remove this line of code when I changed the iterator to normal initialization.


Skipping forward upon construction was causing the heap to skip running
the destructor for the very first object in a block when destroying the
block. This usually did not crash, since block destruction is rare and
most objects have pretty trivial destructors. However, in the rare case
when the heap would destroy a block whose first object was a global
object or a DOM node, BOOM.

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r77269 r77277  
     12011-02-01  Geoffrey Garen  <ggaren@apple.com>
     2
     3        Reviewed by Oliver Hunt.
     4
     5        REGRESSION(77082): GC-related crashes seen: on WebKit2 bot; on GTK 32bit
     6        bot; loading trac pages; typing in search field
     7        https://bugs.webkit.org/show_bug.cgi?id=53519
     8       
     9        The crashes were all caused by failure to run an object's destructor.
     10
     11        * runtime/CollectorHeapIterator.h:
     12        (JSC::ObjectIterator::ObjectIterator): Don't skip forward upon
     13        construction. The iterator class used to do that when it was designed
     14        for prior-to-beginning initialization. I forgot to remove this line
     15        of code when I changed the iterator to normal initialization.
     16       
     17        Skipping forward upon construction was causing the heap to skip running
     18        the destructor for the very first object in a block when destroying the
     19        block. This usually did not crash, since block destruction is rare and
     20        most objects have pretty trivial destructors. However, in the rare case
     21        when the heap would destroy a block whose first object was a global
     22        object or a DOM node, BOOM.
     23
    1242011-01-31  Oliver Hunt  <oliver@apple.com>
    225

  • trunk/Source/JavaScriptCore/runtime/CollectorHeapIterator.h

    r77082 r77277  
    139139        : CollectorHeapIterator(heap, startBlock, startCell)
    140140    {
    141         if (isValid())
    142             ++(*this);
    143141    }
    144142
Note: See TracChangeset for help on using the changeset viewer.