[Webkit-unassigned] [Bug 52075] Don't assert when trying to recompile JS while executing JS
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 10 14:31:41 PST 2011
https://bugs.webkit.org/show_bug.cgi?id=52075
--- Comment #5 from Gavin Barraclough <barraclough at apple.com> 2011-01-10 14:31:41 PST ---
The problem probably lies further up the call stack.
globalData->dynamicGlobalObject should be being set upon the topmost entry into JavaScriptCore and cleared when this entry returns. I.e. this value being non-null should correspond to their being any JavaScriptCore call frames higher up the call stack. If this value is non-null, and there are no call frames inside JavaScript execution higher up the stack, then this is a bug – we should work out how this got set, or why it hasn't been cleared.
If there are call frames in JavaScript higher up the stack then we cannot call recompileAllJSFunctions(). There may be call frames on the stack associated with JIT code translations, and if we throw away the references to the JIT code, then the code may be trashed before we return to it.
An exemple of a sequence of events that would cause incorrect behavior would be:
(1) WebCore calls to JSC
(2) JSC JIT compiles a JavaScript function, and calls into the JIT generated code.
(3) the JIT generated code calls out to a host function (a function or property getter implemented in native code).
(4) the host callback calls from JSC back into WebCore (hence we are in WebCore, with dynamicGlobalObject set to a non-null value)
(5) WebCore calls recompileAllJSFunctions, throwing away all JIT code. Memory previously used by JIT code is deallocated, any may be overwritten.
(6) WebCore returns back to JSC.
(7) JSC returns back from the host callback to the JIT code for the JS function it has previously been executing.
(8) The JIT code has been released, and possibly overwritten, so you may (or may not) now crash, depending on whether the JIT code happens to have been overwritten yet, the allocator in use, etc, etc.
This is why we don't currently allow code for functions to be thrown away whilst JIT call frames are on the machine stack.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list