[webkit-changes] [240766] trunk/Source/JavaScriptCore

Wed, 30 Jan 2019 23:43:31 -0800

Title: [240766] trunk/Source/_javascript_Core
Revision
240766
Author
ysuz...@apple.com
Date
2019-01-30 23:42:41 -0800 (Wed, 30 Jan 2019)

Log Message

[JSC] Symbol should be in destructibleCellSpace
https://bugs.webkit.org/show_bug.cgi?id=194082

Reviewed by Saam Barati.

Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
Symbol's space destructibleCellSpace to appropriately call the destructor.

* runtime/Symbol.h:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (240765 => 240766)


--- trunk/Source/_javascript_Core/ChangeLog	2019-01-31 07:31:21 UTC (rev 240765)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-01-31 07:42:41 UTC (rev 240766)
@@ -1,3 +1,17 @@
+2019-01-30  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] Symbol should be in destructibleCellSpace
+        https://bugs.webkit.org/show_bug.cgi?id=194082
+
+        Reviewed by Saam Barati.
+
+        Because Symbol's member was not poisoned, we changed the subspace for Symbol from destructibleCellSpace
+        to cellJSValueOOBSpace. But the problem is cellJSValueOOBSpace is a space for cells which are not
+        destructible. As a result, Symbol::destroy is never called, and SymbolImpl is leaked. This patch makes
+        Symbol's space destructibleCellSpace to appropriately call the destructor.
+
+        * runtime/Symbol.h:
+
 2019-01-30  Michael Catanzaro  <mcatanz...@igalia.com>
 
         Unreviewed, rolling out r240755.

Modified: trunk/Source/_javascript_Core/runtime/Symbol.h (240765 => 240766)


--- trunk/Source/_javascript_Core/runtime/Symbol.h	2019-01-31 07:31:21 UTC (rev 240765)
+++ trunk/Source/_javascript_Core/runtime/Symbol.h	2019-01-31 07:42:41 UTC (rev 240766)
@@ -36,12 +36,6 @@
     typedef JSCell Base;
     static const unsigned StructureFlags = Base::StructureFlags | StructureIsImmortal | OverridesToThis;
 
-    template<typename>
-    static CompleteSubspace* subspaceFor(VM& vm)
-    {
-        return &vm.cellJSValueOOBSpace;
-    }
-
     DECLARE_EXPORT_INFO;
 
     static const bool needsDestruction = true;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to