[Webkit-unassigned] [Bug 156532] New: ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.

Wed Apr 13 00:00:44 PDT 2016

https://bugs.webkit.org/show_bug.cgi?id=156532

            Bug ID: 156532
           Summary: ShadowChicken::visitChildren() should not visit
                    tailMarkers and throwMarkers.
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in the callee field of a log packet.  However, ShadowChicken::visitChildren() unconditionally visits the callee field of each packet as if they are real objects.  If visitChildren() encounters one of these markers in the log, we get a crash.

This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow chicken when r199393 landed.  r199393 introduced tail calls to a RegExp split fast path, and the v8-regexp.js test exercised this fast path a lot.  Throw in some timely GCs, and we get a crash party.

The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and throwMarker.

Alternatively, if perf is an issue, we can allocate 2 dedicated objects for these markers so that ShadowChicken can continue to visit them.  For now, I'm going with the filter.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160413/d545cbfc/attachment.html>