[Webkit-unassigned] [Bug 142993] New: VM::releaseExecutableMemory() should not invoke the GC

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 23 17:05:25 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=142993

            Bug ID: 142993
           Summary: VM::releaseExecutableMemory() should not invoke the GC
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

Because VM::releaseExecutableMemory() invokes the GC, we can sometimes get a failed RELEASE_ASSERT which is expecting to GC to be deferred.  Here's an example of such a crash stack trace:

Thread 0 Crashed:
0   JavaScriptCore                    0x000000018362958c WTFCrash + 72 (Assertions.cpp:329)
1   JavaScriptCore                    0x0000000183629580 WTFCrash + 60 (Assertions.cpp:267)
2   JavaScriptCore                    0x00000001834b498c JSC::Heap::collect(JSC::HeapOperation) + 820 (Heap.cpp:987)
3   JavaScriptCore                    0x000000018320f4d0 JSC::Heap::collectAllGarbage() + 44 (Heap.cpp:958)
4   JavaScriptCore                    0x0000000183619144 JSC::VM::releaseExecutableMemory() + 864 (VM.cpp:599)
5   JavaScriptCore                    0x000000018321bb74 JSC::ExecutableAllocator::allocate(JSC::VM&, unsigned long, void*, JSC::JITCompilationEffort) + 88 (ExecutableAllocatorFixedVMPool.cpp:170)
6   JavaScriptCore                    0x000000018357746c JSC::LinkBuffer::allocate(unsigned long, void*, JSC::JITCompilationEffort) + 92 (LinkBuffer.cpp:200)
7   JavaScriptCore                    0x0000000183577530 void JSC::LinkBuffer::copyCompactAndLinkCode<unsigned int>(JSC::MacroAssembler&, void*, JSC::JITCompilationEffort) + 48 (LinkBuffer.cpp:93)
8   JavaScriptCore                    0x00000001835f9700 JSC::generateByIdStub(JSC::ExecState*, JSC::ByIdStubKind, JSC::Identifier const&, JSC::FunctionPtr, JSC::StructureStubInfo&, JSC::StructureChain*, unsigned long, int, JSC::Structure*, bool, JSC::WatchpointSet*, JSC::CodeLocationLabel, JSC::CodeLocationLabel, WTF::RefPtr<JSC::JITStubRoutine>&) + 4076 (LinkBuffer.h:95)
9   JavaScriptCore                    0x00000001835f32c4 JSC::buildGetByIDList(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::PropertySlot const&, JSC::StructureStubInfo&) + 960 (Repatch.cpp:832)
10  JavaScriptCore                    0x00000001832ca1f4 operationGetByIdBuildList + 1244 (JITOperations.cpp:147)
11  ???                               0x00000001416b323c 0 + 5392511548
12  JavaScriptCore                    0x0000000183582974 llint_entry + 24564
13  ???                               0x0000000141720450 0 + 5392958544
14  ???                               0x0000000141ab3010 0 + 5396705296

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150324/77c6799d/attachment-0002.html>

More information about the webkit-unassigned mailing list