[Webkit-unassigned] [Bug 27077] Workers + garbage collector: weird crashes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jul 17 06:41:31 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=27077





--- Comment #17 from Zoltan Herczeg <zherczeg at inf.u-szeged.hu>  2009-07-17 06:41:30 PDT ---
Ok, I have contined to work on this bug, again.

This is what I found so far:

The structure, which is checked by op_method_check, is
JSGlobalData->stringStructure. v8-earley-boyer adds two methods to it:

String.prototype.sc_toDisplayString = function() { ... }
String.prototype.sc_toWriteString = function() { ... }

Both time StringObject::put is called. The prototype object is changed by:
setStructure(Structure::despecifyFunctionTransition(m_structure,
propertyName));
in JSObject.h:445

Structure::despecifyFunctionTransition (Structure.cpp:495) allocates memory for
the prototype by a create(...) function. Unfortunately, the previously freed
memory is reused by malloc.

By pointers:

String.prototype was 0x0830f740. After String.prototype.sc_toDisplayString =
function() { ... }, it is changed to 0x08449578. Followed by
String.prototype.sc_toWriteString = function() { ... }, it was set to
0x0830f740, because malloc reused the memory space. Of course the pointer
"meaning" is changed, but its physical value is not.

Gavin, you were right (again). The bug was related to prototype caching, since
prototypes are also memory objects, which can be reused after free().

What should I do now?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list