[Webkit-unassigned] [Bug 27077] Workers + garbage collector: weird crashes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 14 06:54:12 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=27077





--- Comment #8 from Zoltan Herczeg <zherczeg at inf.u-szeged.hu>  2009-07-14 06:54:11 PDT ---
I am still struggling with my second bug.

This is what I know now:

In v8-earley-boyer.js there is a function called sc_toDisplayString(). This
function is marked by a JSWrapperObject as seen in the call stack below:

#1  0xb7385ddd in JSC::JSFunction::mark ()
#2  0xb738a795 in JSC::JSObject::mark ()            \ - the mark() is virtual
#3  0xb738eac5 in JSC::JSWrapperObject::mark ()     / - this is one object
#4  0xb738a795 in JSC::JSObject::mark ()
#5  0xb738a795 in JSC::JSObject::mark ()            \ - the mark() is virtual
#6  0xb72b4a02 in JSC::JSGlobalObject::mark ()      / - this is one object
#7  0xb73f5d8f in WebCore::JSDOMGlobalObject::mark ()
#8  0xb78f3ddd in WebCore::JSWorkerContext::mark ()
#9  0xb7385dba in JSC::JSFunction::mark ()
#10 0xb7366656 in JSC::Heap::markConservatively ()
#11 0xb7366b4f in JSC::Heap::markCurrentThreadConservativelyInternal ()
#12 0xb7366bde in JSC::Heap::markCurrentThreadConservatively ()
#13 0xb7366c01 in JSC::Heap::markStackObjectsConservatively ()
#14 0xb7366c59 in JSC::Heap::collect ()
#15 0xb736709b in JSC::Heap::allocate ()
#16 0xb7309150 in cti_op_construct_JSConstruct ()

Somehow, when I run the test in a worker thread, the 3rd object in the
propertyStorage() of JSWrapperObject() - which is the JSFunction representation
of toDisplayString() method - get a new value. However, its old value is cached
by the JIT, and causes exception, since the cell space of the old value is
reused by some new JSObject. This bug looks platform independent. Anyway, the
garbage collector works perfectly, since the JSFunction is not referenced by
other objects.

My qestions:

- As far as I know, the existing functions are never replaced by new ones,
otherwise pointer caching becomes impossible. What happens here?

- Is it true, that only one JSGlobalObject created for all threads and this
global object is accessed without mutexes?

Thanks,
Zoltan

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list