Changeset 178266 in webkit for trunk/Source/JavaScriptCore/heap/Heap.cpp

Timestamp:

Jan 12, 2015, 8:29:22 AM (10 years ago)

Author:

[email protected]

Message:

Local JSArray* "keys" in objectConstructorKeys() is not marked during garbage collection
​https://bugs.webkit.org/show_bug.cgi?id=140348

Reviewed by Mark Lam.

Move the address of the local variable that is used to demarcate the top of the stack for
conservative roots down to MachineThreads::gatherFromCurrentThread() since it also gets
the register values using setjmp(). That way we don't lose any callee save register
contents between Heap::markRoots(), where it was set, and gatherFromCurrentThread().
If we lose any JSObject* that are only in callee save registers, they will be GC'ed
erroneously.

• heap/Heap.cpp:

(JSC::Heap::markRoots):
(JSC::Heap::gatherStackRoots):

• heap/Heap.h:
• heap/MachineStackMarker.cpp:

(JSC::MachineThreads::gatherFromCurrentThread):
(JSC::MachineThreads::gatherConservativeRoots):

• heap/MachineStackMarker.h:

File:

• trunk/Source/JavaScriptCore/heap/Heap.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/heap/Heap.cpp

@@ -505 +505 @@
     // We gather conservative roots before clearing mark bits because conservative
     // gathering uses the mark bits to determine whether a reference is valid.
-    void* dummy;
     ConservativeRoots conservativeRoots(&m_objectSpace.blocks(), &m_storageSpace);
-    gatherStackRoots(conservativeRoots, &dummy);
+    gatherStackRoots(conservativeRoots);
     gatherJSStackRoots(conservativeRoots);
     gatherScratchBufferRoots(conservativeRoots);
@@ -567 +566 @@
 }
 
-void Heap::gatherStackRoots(ConservativeRoots& roots, void** dummy)
+void Heap::gatherStackRoots(ConservativeRoots& roots)
 {
     GCPHASE(GatherStackRoots);
     m_jitStubRoutines.clearMarks();
-    m_machineThreads.gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks, dummy);
+    m_machineThreads.gatherConservativeRoots(roots, m_jitStubRoutines, m_codeBlocks);
 }