Changeset 16797 in webkit for trunk/JavaScriptCore
- Timestamp:
- Oct 4, 2006, 6:07:49 PM (19 years ago)
- Location:
- trunk/JavaScriptCore
- Files:
-
- 2 edited
-
ChangeLog (modified) (1 diff)
-
kjs/collector.cpp (modified) (3 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JavaScriptCore/ChangeLog
r16795 r16797 1 2006-10-04 Geoffrey Garen <[email protected]> 2 3 Patch by Darin and me, reviewed by Maciej. 4 5 Fixed <rdar://problem/4518397> REGRESSION(?): Oft-seen but unrepro crash 6 in JavaScript garbage collection (KJS::Collector::collect()) 7 <rdar://problem/4752492> Crash in KJS::collect 8 9 The issue here was allocating one garbage-collected object in the midst 10 of allocating a second garbage-collected object. In such a case, the 11 zeroIfFree word lies. 12 13 * kjs/collector.cpp: 14 (KJS::Collector::allocate): 15 (KJS::Collector::collect): 16 1 17 2006-10-04 Kevin McCullough <[email protected]> 2 18 -
trunk/JavaScriptCore/kjs/collector.cpp
r16614 r16797 119 119 size_t numLiveObjectsAtLastCollect = heap.numLiveObjectsAtLastCollect; 120 120 size_t numNewObjects = numLiveObjects - numLiveObjectsAtLastCollect; 121 121 122 if (numNewObjects >= ALLOCATIONS_PER_COLLECTION && numNewObjects >= numLiveObjectsAtLastCollect) { 122 123 collect(); … … 493 494 imp->m_marked = false; 494 495 } else if (currentThreadIsMainThread || imp->m_destructorIsThreadSafe) { 496 // special case for allocated but uninitialized object 497 // (We don't need this check earlier because nothing prior this point assumes the object has a valid vptr.) 498 if (cell->u.freeCell.zeroIfFree == 0) 499 continue; 500 495 501 imp->~JSCell(); 496 502 --usedCells; … … 505 511 } else { 506 512 size_t minimumCellsToProcess = usedCells; 507 for (size_t i = 0; i < minimumCellsToProcess; i++) {513 for (size_t i = 0; (i < minimumCellsToProcess) & (i < CELLS_PER_BLOCK); i++) { 508 514 CollectorCell *cell = curBlock->cells + i; 509 515 if (cell->u.freeCell.zeroIfFree == 0) {
Note:
See TracChangeset
for help on using the changeset viewer.
