[webkit-dev] Javascript collector

[Maciej Stachowiak]

On Jul 25, 2007, at 1:02 PM, Patrick Hanna wrote:

> I am running into a segmentation fault in  
> Collector::collectOnMainThreadOnly on the line that reads:
>
> cellBlock(cell)->collectOnMainThreadOnly.set(cellOffset(cell));
>
> I believe that the reason is because the address passed in as  
> 'value' is the address of a stack variable. This address comes from  
> PluginsFunc::callAsFunction. PluginBase is created on the stack and  
> the constructor for DOMObject calls  
> Collector::collectOnMainThreadOnly with 'this' as the parameter.
>
> My question is, should Collector::collectOnMainThreadOnly work with  
> stack pointers? If it is supposed to work, when does the  
> CollectorBlock for the stack object get created? Specificy,  
> CollectorBlock::collectOnMainThreadOnly is the structure that I'm  
> running in to problems with.

That's definitely a bug. It's illegal to create JSObject subclasses on  
the stack at all, as this will break garbage collection. Please file  
it. I think it's only through luck that it's not crashing for others  
(and maybe it is, but we just don't know it yet.)

Two possible solutions:

1) make refresh() a static member function of PluginBase, since it  
only touches static data members anyway. Then you won't need to  
instantiate a PluginBase object.

2) Have PluginFuncs look at the "this" object, which should be a  
Plugins, which inherits from PluginBase and thus should have the  
refresh method.

Do you have steps to consistently reproduce this bug?

Regards,
Maciej