Changeset 90273 in webkit
- Timestamp:
- Jul 1, 2011 1:45:52 PM (13 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 3 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r90268 r90273 1 2011-07-01 Oliver Hunt <oliver@apple.com> 2 3 GC sweep can occur before an object is completely initialised 4 https://bugs.webkit.org/show_bug.cgi?id=63836 5 6 Reviewed by Gavin Barraclough. 7 8 In rare cases it's possible for a GC sweep to occur while a 9 live, but not completely initialised object is on the stack. 10 In such a case we may incorrectly choose to mark it, even 11 though it has no children that need marking. 12 13 We resolve this by always zeroing out the structure of any 14 value returned from JSCell::operator new(), and making the 15 markstack tolerant of a null structure. 16 17 * runtime/JSCell.h: 18 (JSC::JSCell::JSCell::~JSCell): 19 (JSC::JSCell::JSCell::operator new): 20 * runtime/Structure.h: 21 (JSC::MarkStack::internalAppend): 22 1 23 2011-07-01 Filip Pizlo <fpizlo@apple.com> 2 24 -
trunk/Source/JavaScriptCore/runtime/JSCell.h
r90241 r90273 187 187 inline JSCell::~JSCell() 188 188 { 189 #if ENABLE(GC_VALIDATION) 190 m_structure.clear(); 191 #endif 189 192 } 190 193 … … 357 360 inline void* JSCell::operator new(size_t size, JSGlobalData* globalData) 358 361 { 359 return globalData->heap.allocate(size); 362 JSCell* result = static_cast<JSCell*>(globalData->heap.allocate(size)); 363 result->m_structure.clear(); 364 return result; 360 365 } 361 366 362 367 inline void* JSCell::operator new(size_t size, ExecState* exec) 363 368 { 364 return exec->heap()->allocate(size); 369 JSCell* result = static_cast<JSCell*>(exec->heap()->allocate(size)); 370 result->m_structure.clear(); 371 return result; 365 372 } 366 373 -
trunk/Source/JavaScriptCore/runtime/Structure.h
r89077 r90273 303 303 if (Heap::testAndSetMarked(cell)) 304 304 return; 305 if (cell->structure() ->typeInfo().type() >= CompoundType)305 if (cell->structure() && cell->structure()->typeInfo().type() >= CompoundType) 306 306 m_values.append(cell); 307 307 }
Note: See TracChangeset
for help on using the changeset viewer.