Ignore:
Timestamp:
Aug 10, 2009, 9:35:02 PM (16 years ago)
Author:
[email protected]
Message:

Stack overflow crash in JavaScript garbage collector mark pass
https://bugs.webkit.org/show_bug.cgi?id=12216

Reviewed by Gavin Barraclough and Sam Weinig

Make the GC mark phase iterative by using an explicit mark stack.
To do this marking any single object is performed in multiple stages

  • The object is appended to the MarkStack, this sets the marked bit for the object using the new markDirect() function, and then returns
  • When the MarkStack is drain()ed the object is popped off the stack and markChildren(MarkStack&) is called on the object to collect all of its children. drain() then repeats until the stack is empty.

Additionally I renamed a number of methods from 'mark' to 'markAggregate'
in order to make it more clear that marking of those object was not
going to result in an actual recursive mark.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/JavaScriptCore/runtime/JSPropertyNameIterator.h

    r44224 r47022  
    11/*
    2  * Copyright (C) 2008 Apple Inc. All rights reserved.
     2 * Copyright (C) 2008, 2009 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    5252        virtual JSObject* toObject(ExecState*) const;
    5353
    54         virtual void mark();
     54        virtual void markChildren(MarkStack&);
    5555
    5656        JSValue next(ExecState*);
    5757        void invalidate();
    58 
     58       
     59        static PassRefPtr<Structure> createStructure(JSValue prototype)
     60        {
     61            return Structure::create(prototype, TypeInfo(CompoundType));
     62        }
    5963    private:
    60         JSPropertyNameIterator();
    61         JSPropertyNameIterator(JSObject*, PassRefPtr<PropertyNameArrayData> propertyNameArrayData);
     64        JSPropertyNameIterator(ExecState*);
     65        JSPropertyNameIterator(ExecState*, JSObject*, PassRefPtr<PropertyNameArrayData> propertyNameArrayData);
    6266
    6367        JSObject* m_object;
     
    6771    };
    6872
    69 inline JSPropertyNameIterator::JSPropertyNameIterator()
    70     : JSCell(0)
     73inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec)
     74    : JSCell(exec->globalData().propertyNameIteratorStructure.get())
    7175    , m_object(0)
    7276    , m_position(0)
     
    7579}
    7680
    77 inline JSPropertyNameIterator::JSPropertyNameIterator(JSObject* object, PassRefPtr<PropertyNameArrayData> propertyNameArrayData)
    78     : JSCell(0)
     81inline JSPropertyNameIterator::JSPropertyNameIterator(ExecState* exec, JSObject* object, PassRefPtr<PropertyNameArrayData> propertyNameArrayData)
     82    : JSCell(exec->globalData().propertyNameIteratorStructure.get())
    7983    , m_object(object)
    8084    , m_data(propertyNameArrayData)
     
    8791{
    8892    if (v.isUndefinedOrNull())
    89         return new (exec) JSPropertyNameIterator;
     93        return new (exec) JSPropertyNameIterator(exec);
    9094
    9195    JSObject* o = v.toObject(exec);
    9296    PropertyNameArray propertyNames(exec);
    9397    o->getPropertyNames(exec, propertyNames);
    94     return new (exec) JSPropertyNameIterator(o, propertyNames.releaseData());
     98    return new (exec) JSPropertyNameIterator(exec, o, propertyNames.releaseData());
    9599}
    96100
Note: See TracChangeset for help on using the changeset viewer.