[Webkit-unassigned] [Bug 27077] Workers + garbage collector: weird crashes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 16 23:46:07 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=27077
--- Comment #16 from Zoltan Herczeg <zherczeg at inf.u-szeged.hu> 2009-07-16 23:46:06 PDT ---
Hi Gavin,
I am happy to hear about you again. I thought you are on Holiday. I have
tracked the bug (with help of Oliver) and this is what happen:
part of sc_toDisplayString(o) byte code:
[ 95] op_method_check
[ 96] get_by_id r12, r-9, sc_toDisplayString(@id1)
[ 104] mov r13, r-9
[ 107] call r12, r12, 1, 22
The op_method_check caches a JSFunction value, which is used by the op_call
later. However, the check in op_method_check only depends on the structure. The
old JSFunction itself is freed by gc. However, a new JSFunction is created,
which has the _same_ structure info (and I think this is expected), so
op_method_check gives back a wrong cached value.
Probably I need to create a small example which crashes. I try to do it now.
Oliver also mentioned, that this conservative fix might kill the benefit of
op_method_check, but look, an optimization which sometimes crashes cannot be
called as an optimization. We wouldn't want a browser which can be killed by
malicious code.
By the way, could you take a look at the ARM port :)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list