[Webkit-unassigned] [Bug 12535] Stack-optimizing compilers can trick GC into freeing in-use objects

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 1 18:07:29 PST 2007


------- Comment #9 from huanr at yahoo.com  2007-02-01 18:07 PDT -------
(In reply to comment #4)
> (In reply to comment #2)
> Anrong, did you mean to say that the compiler may discard the reference to
> 'baseObj' or to 'baseVal'? Your reasoning points to 'baseVal', not 'baseObj'.
> Would this bug persist if toObject() made use of 'this', prohibiting the
> compiler from optimizing out baseVal?
> I don't think 'Collector::protect(baseVal);' is a very good solution. It's
> inefficient, and it doesn't seem to address the root cause of the problem,
> which may affect lots of different parts of the code.


I meant baseVal. The bug goes away if toObject() made use of 'this' thus
effectively lock baseVal. 
Collector::protect(baseVal) fixes this code path. if this is a common pattern
then other solutions being discussed here may be better if they have no global

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list