[Webkit-unassigned] [Bug 192717] New: CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Dec 14 14:19:57 PST 2018
https://bugs.webkit.org/show_bug.cgi?id=192717
Bug ID: 192717
Summary: CallFrame::convertToStackOverflowFrame() needs to keep
the top CodeBlock alive.
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: mark.lam at apple.com
When throwing a StackOverflowError, we convert the topCallFrame into a StackOverflowFrame. Previously, we would nullify the codeBlock field in the frame because a StackOverflowFrame is only a sentinel and doesn't really correlate to any CodeBlocks. However, this is a problem because the topCallFrame may be the only remaining place that references the CodeBlock that the stack overflow is triggered in. The way we handle exceptions in JIT code is to return (from the runtime operation function throwing the exception) to the JIT code to check for the exception and if needed, do some clean up before jumping to the exception handling thunk. As a result, we need to keep that JIT code alive, which means we need to keep its CodeBlock alive. We only need to keep this CodeBlock alive until we've unwound (in terms of exception handling) out of it.
We fix this issue by storing the CodeBlock to keep alive in the StackOverflowFrame for the GC to scan while the frame is still on the stack.
<rdar://problem/46660677>
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181214/6c32de8d/attachment.html>
More information about the webkit-unassigned
mailing list