[webkit-changes] [16797] trunk/JavaScriptCore
Alexander Kellett
lypanov at mac.com
Thu Oct 5 06:43:08 PDT 2006
Unfortunately unable to see the backtraces associated with the rdar's
without access. Is it possible to see the backtraces?
I'm able to reproduce a collect() related crash by simply using the
browser for a few days. Hope this is the fix I've been looking for :)
Alex
On 5 Oct 2006, at 03:07, ggaren at opensource.apple.com wrote:
> Revision
> 16797
> Author
> ggaren
> Date
> 2006-10-04 18:07:49 -0700 (Wed, 04 Oct 2006)
> Log Message
>
> Patch by Darin and me, reviewed by Maciej.
>
> Fixed REGRESSION(?): Oft-seen but unrepro crash
> in JavaScript garbage collection
> (KJS::Collector::collect())
> Crash in KJS::collect
>
> The issue here was allocating one garbage-collected object
> in the midst
> of allocating a second garbage-collected object. In such a
> case, the
> zeroIfFree word lies.
>
> * kjs/collector.cpp:
> (KJS::Collector::allocate):
> (KJS::Collector::collect):
> Modified Paths
>
> trunk/JavaScriptCore/ChangeLog
> trunk/JavaScriptCore/kjs/collector.cpp
> Diff
>
> Modified: trunk/JavaScriptCore/ChangeLog (16796 => 16797)
>
> --- trunk/JavaScriptCore/ChangeLog 2006-10-05 00:21:48 UTC (rev 16796)
> +++ trunk/JavaScriptCore/ChangeLog 2006-10-05 01:07:49 UTC (rev 16797)
> @@ -1,3 +1,19 @@
> +2006-10-04 Geoffrey Garen <ggaren at apple.com>
> +
> + Patch by Darin and me, reviewed by Maciej.
> +
> + Fixed <rdar://problem/4518397> REGRESSION(?): Oft-seen but
> unrepro crash
> + in JavaScript garbage collection
> (KJS::Collector::collect())
> + <rdar://problem/4752492> Crash in KJS::collect
> +
> + The issue here was allocating one garbage-collected object
> in the midst
> + of allocating a second garbage-collected object. In such a
> case, the
> + zeroIfFree word lies.
> +
> + * kjs/collector.cpp:
> + (KJS::Collector::allocate):
> + (KJS::Collector::collect):
> +
> 2006-10-04 Kevin McCullough <KMcCullough at apple.com>
>
> Reviewed by Adam.
> Modified: trunk/JavaScriptCore/kjs/collector.cpp (16796 => 16797)
>
> --- trunk/JavaScriptCore/kjs/collector.cpp 2006-10-05 00:21:48 UTC
> (rev 16796)
> +++ trunk/JavaScriptCore/kjs/collector.cpp 2006-10-05 01:07:49 UTC
> (rev 16797)
> @@ -118,6 +118,7 @@
> size_t numLiveObjects = heap.numLiveObjects;
> size_t numLiveObjectsAtLastCollect =
> heap.numLiveObjectsAtLastCollect;
> size_t numNewObjects = numLiveObjects -
> numLiveObjectsAtLastCollect;
> +
> if (numNewObjects >= ALLOCATIONS_PER_COLLECTION && numNewObjects
> >= numLiveObjectsAtLastCollect) {
> collect();
> numLiveObjects = heap.numLiveObjects;
> @@ -492,6 +493,11 @@
> if (imp->m_marked) {
> imp->m_marked = false;
> } else if (currentThreadIsMainThread || imp-
> >m_destructorIsThreadSafe) {
> + // special case for allocated but uninitialized object
> + // (We don't need this check earlier because nothing
> prior this point assumes the object has a valid vptr.)
> + if (cell->u.freeCell.zeroIfFree == 0)
> + continue;
> +
> imp->~JSCell();
> --usedCells;
> --numLiveObjects;
> @@ -504,7 +510,7 @@
> }
> } else {
> size_t minimumCellsToProcess = usedCells;
> - for (size_t i = 0; i < minimumCellsToProcess; i++) {
> + for (size_t i = 0; (i < minimumCellsToProcess) & (i <
> CELLS_PER_BLOCK); i++) {
> CollectorCell *cell = curBlock->cells + i;
> if (cell->u.freeCell.zeroIfFree == 0) {
> ++minimumCellsToProcess;
> _______________________________________________
> webkit-changes mailing list
> webkit-changes at opendarwin.org
> http://www.opendarwin.org/mailman/listinfo/webkit-changes
---
Alexander Kellett
PGP - 0x6BFA8EF3, FPR: DA65 D6DE 56A9 D715 EFB6 A948 B2EF 6622 6BFA 8EF3
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/webkit-changes/attachments/20061005/cd5ce56b/attachment.html
More information about the webkit-changes
mailing list