[Webkit-unassigned] [Bug 37554] REGRESSION: fast/workers/wrapper-map-gc.html crashes on Snow Leopard Release Bot
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 20 20:41:43 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=37554
--- Comment #10 from Dmitry Titov <dimich at chromium.org> 2010-04-20 20:41:42 PST ---
It was broken by introducing the possibility for a JS wrapper of WorkerContext
be returned as 0 in case of terminated worker, to prevent the re-entry into JS
(r57349). It works fine if all the places that get the wrapper before invoking
JS check for the value. JSEventListener did not, so if worker's JS execution
was terminated between pulling globalObject (returns 0 for terminated worker,
there is a check) and getting a wrapper for the 'this' (returns 0 for
terminated worker, no check) - the subsequent attempt to run a listener
function crashes.
Note there is no need to synchronize checks here, even though the termination
is requested on one thread and the value of a flag is used on another - once
the JS execution on worker thread is set up properly, it's ok to go into it
since it will be terminated by JSC::Terminator causing an exception eventually.
So, I broke it :-(. My only excuse is that I wrote the test that caught the
borkage and I now have a fix :-) Patch coming.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list