[webkit-changes] [WebKit/WebKit] 1d96c3: REGRESSION(278148 at main): random crashes under JSC:...
Yusuke Suzuki
noreply at github.com
Wed May 1 13:00:36 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1d96c3185c84598869508e1ac51538952efb7912
https://github.com/WebKit/WebKit/commit/1d96c3185c84598869508e1ac51538952efb7912
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2024-05-01 (Wed, 01 May 2024)
Changed paths:
M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp
M Source/JavaScriptCore/jit/GCAwareJITStubRoutine.h
Log Message:
-----------
REGRESSION(278148 at main): random crashes under JSC::WatchpointSet::fireAllWatchpoints
https://bugs.webkit.org/show_bug.cgi?id=273467
rdar://127346958
Reviewed by Justin Michaud, Keith Miller and Mark Lam.
PolymorphicAccessJITStubRoutine::invalidate clears StructureStubInfo, and this
may deref PolymorphicAccessJITStubRoutine itself held by InlineCacheHandler.
But at the same time, PolymorphicAccessJITStubRoutine is half-GC-managed, so this `invalidate` function can be called
when PolymorphicAccessJITStubRoutine's refCount is zero, and will be destroyed by GC.
So, in this patch,
1. We just clear WatchpointSet when PolymorphicAccessJITStubRoutine's refCount becomes zero.
2. Inside PolymorphicAccessJITStubRoutine::invalidate, we just capture WatchpointSet and fire them all instead of keeping PolymorphicAccessJITStubRoutine alive.
* Source/JavaScriptCore/jit/GCAwareJITStubRoutine.cpp:
(JSC::PolymorphicAccessJITStubRoutine::invalidate):
Canonical link: https://commits.webkit.org/278223@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list