[Webkit-unassigned] [Bug 27077] Workers + garbage collector: weird crashes

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jul 20 13:42:27 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=27077





--- Comment #21 from Gavin Barraclough <barraclough at apple.com>  2009-07-20 13:42:24 PDT ---
Gah, yes! - that's definitely a bug, we should be ref'ing/deref'ing the
prototype structure in the same way we do the structure.

There should be no need to explicitly protect the prototype object (it's
existence is implied by the structure check matching).  If the prototype object
has been freed & GC'ed then no objects can exist with this structure, so the
structure check must fail.  We cannot get a false positive from the structure
check through the structure being freed and a new structure happening to be
allocated in the same location, since the codeblock preserved the structure.

In the case of the callee, we also don't need protect the object, but for
slightly subtler reasons.  The prototype structure implies the prototype has a
property of a given name with a specific value.  It would be possible for the
callee to be GC'ed, and a new object to be allocated in its place.  For this to
happen all objects of the prototype stucture must have also been destroyed (or
their structures must have changed).  The new object allocated in place of the
callee could be added to an object with the same name, follow the same
structure transition, and reach the same prototype structure as had previously
been reached.  However in such a set of events an the correct result for op
method check to produce is still callee (albeit a new value of callee that just
happens to be at the same location).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list