Changeset 95308 in webkit
- Timestamp:
- Sep 16, 2011 11:43:25 AM (13 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
heap/Heap.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r95297 r95308 1 2011-09-16 Filip Pizlo <fpizlo@apple.com> 2 3 REGRESSION: Reproducible crash below SlotVisitor::harvestWeakReferences 4 using Domino's online ordering 5 https://bugs.webkit.org/show_bug.cgi?id=68220 6 7 Reviewed by Oliver Hunt. 8 9 Weak handle processing can result in new objects being marked, which 10 results in new WeakReferencesHarvesters being added. But weak 11 reference harvesters are only processed before weak handle processing, 12 so there's the risk that a weak reference harvester will persist 13 until the next collection, by which time it may have been deleted. 14 15 * heap/Heap.cpp: 16 (JSC::Heap::markRoots): 17 1 18 2011-09-16 Csaba Osztrogonác <ossy@webkit.org> 2 19 -
trunk/Source/JavaScriptCore/heap/Heap.cpp
r94814 r95308 587 587 visitor.drain(); 588 588 589 harvestWeakReferences();590 591 589 // Weak handles must be marked last, because their owners use the set of 592 590 // opaque roots to determine reachability. … … 598 596 // If the set of opaque roots has grown, more weak handles may have become reachable. 599 597 } while (lastOpaqueRootCount != visitor.opaqueRootCount()); 598 599 // Need to call this here because weak handle processing could add weak 600 // reference harvesters. 601 harvestWeakReferences(); 600 602 601 603 visitor.reset();
Note: See TracChangeset
for help on using the changeset viewer.
