Changeset 34974 in webkit for trunk/JavaScriptCore/kjs/collector.cpp

Timestamp:

Jul 2, 2008, 11:48:01 PM (17 years ago)

Author:

[email protected]

Message:

2008-07-02 Geoffrey Garen <​[email protected]>

Reviewed by Cameron Zwarich.

Fixed ​https://bugs.webkit.org/show_bug.cgi?id=19862
REGRESSION (r34907): Gmail crashes in JavaScriptCore code while editing drafts

I was never able to reproduce this issue, but Cameron could, and he says
that this patch fixes it.

The crash seems tied to a timer or event handler callback. In such a case,
the sole reference to the global object may be in the current call frame,
so we can't depend on the global object to mark the call frame area in
the register file.

The new GC marking rule is: the global object is not responsible for
marking the whole register file -- it's just responsible for the globals
section it's tied to. The heap is responsible for marking the call frame area.

File:

• trunk/JavaScriptCore/kjs/collector.cpp (modified) (2 diffs)

trunk/JavaScriptCore/kjs/collector.cpp

@@ -93 +93 @@
 static void freeHeap(CollectorHeap*);
 
-Heap::Heap(bool isShared)
+Heap::Heap(Machine* machine, bool isShared)
     : m_markListSet(0)
     , m_isShared(isShared)
+    , m_machine(machine)
 {
     memset(&primaryHeap, 0, sizeof(CollectorHeap));
@@ -945 +946 @@
     if (m_markListSet && m_markListSet->size())
         ArgList::markLists(*m_markListSet);
+    m_machine->registerFile().markCallFrames(this);
 
     JAVASCRIPTCORE_GC_MARKED();