Title: [162968] trunk/Source/_javascript_Core
- Revision
- 162968
- Author
- gga...@apple.com
- Date
- 2014-01-28 15:12:19 -0800 (Tue, 28 Jan 2014)
Log Message
REGRESSION: _javascript_Core crash during OS Installation (due to
Heap::m_operationInProgress ASSERT vs DelayedReleaseScope)
https://bugs.webkit.org/show_bug.cgi?id=127793
Reviewed by Mark Hahnenberg.
This was a mistaken ASSERT.
* API/tests/testapi.mm:
(-[EvilAllocationObject doEvilThingsWithContext:]): Added a test to verify
that GC from a DelayedReleaseScope doesn't crash.
* heap/DelayedReleaseScope.h:
(JSC::DelayedReleaseScope::~DelayedReleaseScope): Our contract is that
it is valid to do anything while running a DelayedReleaseScope -dealloc
method, so the Heap must be ready for new allocations and collections.
Change the Heap's operationInProgress value to NoOperation while running
-dealloc methods, so that it doesn't ASSERT in the face of new allocations
and collections.
* heap/Heap.h: Made DelayedReleaseScope a friend because exposing a setter
for m_operationInProgress seemed like the worse of the two options for
encapsulation: we don't really want arbitrary clients to set the Heap's
m_operationInProgress.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/API/tests/testapi.mm (162967 => 162968)
--- trunk/Source/_javascript_Core/API/tests/testapi.mm 2014-01-28 23:04:56 UTC (rev 162967)
+++ trunk/Source/_javascript_Core/API/tests/testapi.mm 2014-01-28 23:12:19 UTC (rev 162968)
@@ -453,7 +453,7 @@
- (JSValue *)doEvilThingsWithContext:(JSContext *)context
{
- return [context evaluateScript:@" \
+ JSValue *result = [context evaluateScript:@" \
(function() { \
var a = []; \
var sum = 0; \
@@ -463,6 +463,9 @@
} \
return sum; \
})()"];
+
+ JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]);
+ return result;
}
@end
@@ -1215,12 +1218,13 @@
@autoreleasepool {
JSContext *context = [[JSContext alloc] init];
- @autoreleasepool {
- EvilAllocationObject *evilObject = [[EvilAllocationObject alloc] initWithContext:context];
- context[@"evilObject"] = evilObject;
- context[@"evilObject"] = nil;
+ while (!evilAllocationObjectWasDealloced) {
+ @autoreleasepool {
+ EvilAllocationObject *evilObject = [[EvilAllocationObject alloc] initWithContext:context];
+ context[@"evilObject"] = evilObject;
+ context[@"evilObject"] = nil;
+ }
}
- JSSynchronousGarbageCollectForDebugging([context JSGlobalContextRef]);
checkResult(@"EvilAllocationObject was successfully dealloced without crashing", evilAllocationObjectWasDealloced);
}
Modified: trunk/Source/_javascript_Core/ChangeLog (162967 => 162968)
--- trunk/Source/_javascript_Core/ChangeLog 2014-01-28 23:04:56 UTC (rev 162967)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-01-28 23:12:19 UTC (rev 162968)
@@ -1,3 +1,31 @@
+2014-01-28 Geoffrey Garen <gga...@apple.com>
+
+ REGRESSION: _javascript_Core crash during OS Installation (due to
+ Heap::m_operationInProgress ASSERT vs DelayedReleaseScope)
+ https://bugs.webkit.org/show_bug.cgi?id=127793
+
+ Reviewed by Mark Hahnenberg.
+
+ This was a mistaken ASSERT.
+
+ * API/tests/testapi.mm:
+ (-[EvilAllocationObject doEvilThingsWithContext:]): Added a test to verify
+ that GC from a DelayedReleaseScope doesn't crash.
+
+ * heap/DelayedReleaseScope.h:
+ (JSC::DelayedReleaseScope::~DelayedReleaseScope): Our contract is that
+ it is valid to do anything while running a DelayedReleaseScope -dealloc
+ method, so the Heap must be ready for new allocations and collections.
+
+ Change the Heap's operationInProgress value to NoOperation while running
+ -dealloc methods, so that it doesn't ASSERT in the face of new allocations
+ and collections.
+
+ * heap/Heap.h: Made DelayedReleaseScope a friend because exposing a setter
+ for m_operationInProgress seemed like the worse of the two options for
+ encapsulation: we don't really want arbitrary clients to set the Heap's
+ m_operationInProgress.
+
2014-01-28 Mark Lam <mark....@apple.com>
Jettison DFG code when neither breakpoints or the profiler are active.
Modified: trunk/Source/_javascript_Core/heap/DelayedReleaseScope.h (162967 => 162968)
--- trunk/Source/_javascript_Core/heap/DelayedReleaseScope.h 2014-01-28 23:04:56 UTC (rev 162967)
+++ trunk/Source/_javascript_Core/heap/DelayedReleaseScope.h 2014-01-28 23:12:19 UTC (rev 162968)
@@ -47,8 +47,13 @@
ASSERT(m_markedSpace.m_currentDelayedReleaseScope == this);
m_markedSpace.m_currentDelayedReleaseScope = nullptr;
+ HeapOperation operationInProgress = NoOperation;
+ std::swap(operationInProgress, m_markedSpace.m_heap->m_operationInProgress);
+
APICallbackShim callbackShim(*m_markedSpace.m_heap->vm());
m_delayedReleaseObjects.clear();
+
+ std::swap(operationInProgress, m_markedSpace.m_heap->m_operationInProgress);
}
template <typename T>
Modified: trunk/Source/_javascript_Core/heap/Heap.h (162967 => 162968)
--- trunk/Source/_javascript_Core/heap/Heap.h 2014-01-28 23:04:56 UTC (rev 162967)
+++ trunk/Source/_javascript_Core/heap/Heap.h 2014-01-28 23:12:19 UTC (rev 162968)
@@ -208,6 +208,7 @@
friend class CopiedBlock;
friend class DeferGC;
friend class DeferGCForAWhile;
+ friend class DelayedReleaseScope;
friend class GCAwareJITStubRoutine;
friend class HandleSet;
friend class JITStubRoutine;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes