Changeset 90273 in webkit for trunk/Source/JavaScriptCore/ChangeLog
- Timestamp:
- Jul 1, 2011, 1:45:52 PM (14 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r90268 r90273 1 2011-07-01 Oliver Hunt <[email protected]> 2 3 GC sweep can occur before an object is completely initialised 4 https://bugs.webkit.org/show_bug.cgi?id=63836 5 6 Reviewed by Gavin Barraclough. 7 8 In rare cases it's possible for a GC sweep to occur while a 9 live, but not completely initialised object is on the stack. 10 In such a case we may incorrectly choose to mark it, even 11 though it has no children that need marking. 12 13 We resolve this by always zeroing out the structure of any 14 value returned from JSCell::operator new(), and making the 15 markstack tolerant of a null structure. 16 17 * runtime/JSCell.h: 18 (JSC::JSCell::JSCell::~JSCell): 19 (JSC::JSCell::JSCell::operator new): 20 * runtime/Structure.h: 21 (JSC::MarkStack::internalAppend): 22 1 23 2011-07-01 Filip Pizlo <[email protected]> 2 24
Note:
See TracChangeset
for help on using the changeset viewer.