[Webkit-unassigned] [Bug 67354] New: ValueProfile does not make it safe to introspect cell values after garbage collection
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Aug 31 20:28:05 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67354
Summary: ValueProfile does not make it safe to introspect cell
values after garbage collection
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fpizlo at apple.com
The ValueProfile class holds 8 recent values seen at a particular JavaScript bytecode site. But if a value is a JSCell pointer, then after a garbage collection the pointer may no longer be valid. This prevents clients of the profiler from doing introspection of values beyond checking if they are cells. For example, it's not currently safe to check if a value is an array.
The ValueProfile should weakly reference JSCells, but should do it intelligently, so that if the JSCell is deleted by the collector, we still have some information about it: like, what was its structure, or if the structure is also deleted, then what is its class.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list