[Webkit-unassigned] [Bug 28909] New: DateInstance object collected on ARM JIT (JSValue: WTF_USE_JSVALUE32)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 2 06:51:51 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=28909
Summary: DateInstance object collected on ARM JIT (JSValue:
WTF_USE_JSVALUE32)
Product: WebKit
Version: 528+ (Nightly build)
Platform: Other
OS/Version: Linux
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: zherczeg at inf.u-szeged.hu
Small example:
var startTime = new Date
print(startTime)
// Mess up the gc'ed area
gc()
for (var i = 0; i < 100; ++i)
new Number(0.2)
print(startTime)
Output:
Wed Sep 02 2009 11:43:57 GMT+0200 (CEST)
Thu Jan 01 1970 01:00:00 GMT+0100 (CET)
Known things so far:
JSWrapperObject::markChildren is not called for DateInstance objects
This method is usually called from:
JSArray.h:189
currentCell->markChildren(*this);
However, in case of DateInstance, the followin line is called
JSArray.h:185
static_cast<JSObject*>(currentCell)->markChildrenDirect(*this);
which means (currentCell->structure()->typeInfo().hasDefaultMark()) is true
Any idea? I feel hasDefaultMark() should not be true
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list