Ignore:
Timestamp:
Oct 2, 2015, 2:16:20 PM (10 years ago)
Author:
[email protected]
Message:

Unreviewed, rolling back in r190450
https://bugs.webkit.org/show_bug.cgi?id=149727

The cause of the crash was a CodeBlock, after surviving a call to
deleteAllCode by virtue of being in the remembered set, trying to mark
its inlined CodeBlocks via pointers from its inlined executables.
Since deleteAllCode clears those pointers, the CodeBlock would ASSERT.
(Any other choice to retain a CodeBlock after deleteAllCode -- for
example, conservative marking -- could trigger the same bug.)

The fix is for InlineCallFrame to point directly to its inlined CodeBlock
instead of pointing indirectly via an executable. This guarantees that
CodeBlocks are GC safe regardless of whether we've called deleteAllCode.

Restored changesets:

"CodeBlock should be a GC object"
https://bugs.webkit.org/show_bug.cgi?id=149727
http://trac.webkit.org/changeset/190450

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGPlan.h

    r190453 r190522  
    5656struct Plan : public ThreadSafeRefCounted<Plan> {
    5757    Plan(
    58         PassRefPtr<CodeBlock> codeBlockToCompile, CodeBlock* profiledDFGCodeBlock,
     58        CodeBlock* codeBlockToCompile, CodeBlock* profiledDFGCodeBlock,
    5959        CompilationMode, unsigned osrEntryBytecodeIndex,
    6060        const Operands<JSValue>& mustHandleValues);
     
    7272    CompilationKey key();
    7373   
    74     void clearCodeBlockMarks();
     74    void rememberCodeBlocks();
    7575    void checkLivenessAndVisitChildren(SlotVisitor&);
    7676    bool isKnownToBeLiveDuringGC();
     
    7878   
    7979    VM& vm;
    80     RefPtr<CodeBlock> codeBlock;
    81     RefPtr<CodeBlock> profiledDFGCodeBlock;
     80
     81    // These can be raw pointers because we visit them during every GC in checkLivenessAndVisitChildren.
     82    CodeBlock* codeBlock;
     83    CodeBlock* profiledDFGCodeBlock;
     84
    8285    CompilationMode mode;
    8386    const unsigned osrEntryBytecodeIndex;
Note: See TracChangeset for help on using the changeset viewer.