[Webkit-unassigned] [Bug 192717] New: CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 14 14:19:57 PST 2018


            Bug ID: 192717
           Summary: CallFrame::convertToStackOverflowFrame() needs to keep
                    the top CodeBlock alive.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

When throwing a StackOverflowError, we convert the topCallFrame into a StackOverflowFrame.  Previously, we would nullify the codeBlock field in the frame because a StackOverflowFrame is only a sentinel and doesn't really correlate to any CodeBlocks.  However, this is a problem because the topCallFrame may be the only remaining place that references the CodeBlock that the stack overflow is triggered in.  The way we handle exceptions in JIT code is to return (from the runtime operation function throwing the exception) to the JIT code to check for the exception and if needed, do some clean up before jumping to the exception handling thunk.  As a result, we need to keep that JIT code alive, which means we need to keep its CodeBlock alive.  We only need to keep this CodeBlock alive until we've unwound (in terms of exception handling) out of it.

We fix this issue by storing the CodeBlock to keep alive in the StackOverflowFrame for the GC to scan while the frame is still on the stack.


You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181214/6c32de8d/attachment.html>

More information about the webkit-unassigned mailing list