Changeset 73545 in webkit for trunk/JavaScriptCore/runtime/Collector.cpp

Timestamp:

Dec 8, 2010, 1:44:38 PM (14 years ago)

Author:

[email protected]

Message:

2010-12-08 Oliver Hunt <​[email protected]>

Reviewed by Gavin Barraclough.

Marking the active global object re-enters through markConservatively
​https://bugs.webkit.org/show_bug.cgi?id=50711

draining of the MarkStack is not allowed to be re-entrant, we got away
with this simply due to the logic in MarkStack::drain implicitly handling
changes that could be triggered by the re-entry.

Just to be safe this patch removes the re-entry through markConservatively
so we don't accidentally introduce such an issue in future. I've also
added an assertion to catch such errors.

• runtime/Collector.cpp: (JSC::Heap::markConservatively): (JSC::Heap::markCurrentThreadConservativelyInternal): (JSC::Heap::markOtherThreadConservatively):
• runtime/JSArray.h: (JSC::MarkStack::drain):
• runtime/MarkStack.h: (JSC::MarkStack::MarkStack):

File:

• trunk/JavaScriptCore/runtime/Collector.cpp (modified) (3 diffs)

trunk/JavaScriptCore/runtime/Collector.cpp

@@ -686 +686 @@
                     continue;
                 markStack.append(reinterpret_cast<JSCell*>(xAsBits));
-                markStack.drain();
             }
         }
@@ -698 +697 @@
     void* stackBase = currentThreadStackBase();
     markConservatively(markStack, stackPointer, stackBase);
+    markStack.drain();
 }
 
@@ -860 +860 @@
     // mark the thread's registers
     markConservatively(markStack, static_cast<void*>(&regs), static_cast<void*>(reinterpret_cast<char*>(&regs) + regSize));
+    markStack.drain();
 
     void* stackPointer = otherThreadStackPointer(regs);
     markConservatively(markStack, stackPointer, thread->stackBase);
+    markStack.drain();
 
     resumeThread(thread->platformThread);