[Webkit-unassigned] [Bug 156532] New: ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Apr 13 00:00:44 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=156532
Bug ID: 156532
Summary: ShadowChicken::visitChildren() should not visit
tailMarkers and throwMarkers.
Classification: Unclassified
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in the callee field of a log packet. However, ShadowChicken::visitChildren() unconditionally visits the callee field of each packet as if they are real objects. If visitChildren() encounters one of these markers in the log, we get a crash.
This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow chicken when r199393 landed. r199393 introduced tail calls to a RegExp split fast path, and the v8-regexp.js test exercised this fast path a lot. Throw in some timely GCs, and we get a crash party.
The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and throwMarker.
Alternatively, if perf is an issue, we can allocate 2 dedicated objects for these markers so that ShadowChicken can continue to visit them. For now, I'm going with the filter.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160413/d545cbfc/attachment.html>
More information about the webkit-unassigned
mailing list