Changeset 73545 in webkit for trunk/JavaScriptCore/runtime/JSArray.h

Timestamp:

Dec 8, 2010, 1:44:38 PM (14 years ago)

Author:

[email protected]

Message:

2010-12-08 Oliver Hunt <​[email protected]>

Reviewed by Gavin Barraclough.

Marking the active global object re-enters through markConservatively
​https://bugs.webkit.org/show_bug.cgi?id=50711

draining of the MarkStack is not allowed to be re-entrant, we got away
with this simply due to the logic in MarkStack::drain implicitly handling
changes that could be triggered by the re-entry.

Just to be safe this patch removes the re-entry through markConservatively
so we don't accidentally introduce such an issue in future. I've also
added an assertion to catch such errors.

• runtime/Collector.cpp: (JSC::Heap::markConservatively): (JSC::Heap::markCurrentThreadConservativelyInternal): (JSC::Heap::markOtherThreadConservatively):
• runtime/JSArray.h: (JSC::MarkStack::drain):
• runtime/MarkStack.h: (JSC::MarkStack::MarkStack):

File:

• trunk/JavaScriptCore/runtime/JSArray.h (modified) (2 diffs)

trunk/JavaScriptCore/runtime/JSArray.h

@@ -223 +223 @@
     inline void MarkStack::drain()
     {
+#if !ASSERT_DISABLED
+        ASSERT(!m_isDraining);
+        m_isDraining = true;
+#endif
         while (!m_markSets.isEmpty() || !m_values.isEmpty()) {
             while (!m_markSets.isEmpty() && m_values.size() < 50) {
@@ -261 +265 @@
                 markChildren(m_values.removeLast());
         }
+#if !ASSERT_DISABLED
+        m_isDraining = false;
+#endif
     }