Title: [218856] trunk/Source/_javascript_Core
- Revision
- 218856
- Author
- utatane....@gmail.com
- Date
- 2017-06-27 17:46:50 -0700 (Tue, 27 Jun 2017)
Log Message
[JSC] Do not touch VM after notifying Ready in DFG::Worklist
https://bugs.webkit.org/show_bug.cgi?id=173888
Reviewed by Saam Barati.
After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
Thus, Plan::vm() can return a destroyed VM. Do not touch it.
This causes occasional SEGV / assertion failures in workers/bomb test.
* dfg/DFGWorklist.cpp:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (218855 => 218856)
--- trunk/Source/_javascript_Core/ChangeLog 2017-06-28 00:36:31 UTC (rev 218855)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-06-28 00:46:50 UTC (rev 218856)
@@ -1,3 +1,16 @@
+2017-06-27 Yusuke Suzuki <utatane....@gmail.com>
+
+ [JSC] Do not touch VM after notifying Ready in DFG::Worklist
+ https://bugs.webkit.org/show_bug.cgi?id=173888
+
+ Reviewed by Saam Barati.
+
+ After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
+ Thus, Plan::vm() can return a destroyed VM. Do not touch it.
+ This causes occasional SEGV / assertion failures in workers/bomb test.
+
+ * dfg/DFGWorklist.cpp:
+
2017-06-27 Saam Barati <sbar...@apple.com>
Remove an inaccurate comment inside DFGClobberize.h
Modified: trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp (218855 => 218856)
--- trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp 2017-06-28 00:36:31 UTC (rev 218855)
+++ trunk/Source/_javascript_Core/dfg/DFGWorklist.cpp 2017-06-28 00:46:50 UTC (rev 218856)
@@ -130,9 +130,9 @@
m_worklist.m_readyPlans.append(m_plan);
+ RELEASE_ASSERT(!m_plan->vm->heap.collectorBelievesThatTheWorldIsStopped());
m_worklist.m_planCompiled.notifyAll();
}
- RELEASE_ASSERT(!m_plan->vm->heap.collectorBelievesThatTheWorldIsStopped());
return WorkResult::Continue;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
