[Cherry-Pick] IncrementalSweeper should not sweep/free Zapped blocks

https://bugs.webkit.org/show_bug.cgi?id=96464

[Issue#] N_SE-45371
[Problem] Crash after randomly operation on internet
[Solution] GC should not sweep/free Zapped blocks.
[Cherry-Picker] Lee SangGyu <sg5.lee@samsung.com>

Reviewed by Filip Pizlo.

This is not beneficial in terms of performance because there isn't any way a block can emerge in the Zapped state from a call to Heap::collect() unless we run an eager sweep on it, in which case we've already run all the destructors we possibly can. This also causes bugs since we don't take zapped-ness into account when determining whether or not a block is empty to free it. The incremental sweeper can then accidentally free blocks that it thinks are empty but are in fact zapped with still-live objects in them.

* heap/MarkedBlock.h:
(JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128262 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Change-Id: Ie304b8b475eb4912162853e154f99f824e74a52c

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 04dec83..281c4da 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2012-09-11  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        IncrementalSweeper should not sweep/free Zapped blocks
+        https://bugs.webkit.org/show_bug.cgi?id=96464
+
+        Reviewed by Filip Pizlo.
+
+        This is not beneficial in terms of performance because there isn't any way a block can emerge
+        in the Zapped state from a call to Heap::collect() unless we run an eager sweep on it, in which 
+        case we've already run all the destructors we possibly can. This also causes bugs since we don't 
+        take zapped-ness into account when determining whether or not a block is empty to free it. The 
+        incremental sweeper can then accidentally free blocks that it thinks are empty but are in fact 
+        zapped with still-live objects in them.
+
+        * heap/MarkedBlock.h:
+        (JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state.
+
 2013-03-11  Oliver Hunt  <oliver@apple.com>
 
         Make SegmentedVector Noncopyable

diff --git a/Source/JavaScriptCore/heap/MarkedBlock.h b/Source/JavaScriptCore/heap/MarkedBlock.h
index ab2abd7..decd57b 100644 (file)
--- a/Source/JavaScriptCore/heap/MarkedBlock.h
+++ b/Source/JavaScriptCore/heap/MarkedBlock.h
@@ -413,7 +413,7 @@ namespace JSC {
 
     inline bool MarkedBlock::needsSweeping()
     {
-        return m_state == Marked || m_state == Zapped;
+        return m_state == Marked;
     }
 
 #if ENABLE(GGC)