From 94bd84ef5e0fda859d8a417b036062171436adc7 Mon Sep 17 00:00:00 2001 From: "mhahnenberg@apple.com" Date: Wed, 12 Sep 2012 04:26:15 +0000 Subject: [PATCH] [Cherry-Pick] IncrementalSweeper should not sweep/free Zapped blocks https://bugs.webkit.org/show_bug.cgi?id=96464 [Issue#] N_SE-45371 [Problem] Crash after randomly operation on internet [Solution] GC should not sweep/free Zapped blocks. [Cherry-Picker] Lee SangGyu Reviewed by Filip Pizlo. This is not beneficial in terms of performance because there isn't any way a block can emerge in the Zapped state from a call to Heap::collect() unless we run an eager sweep on it, in which case we've already run all the destructors we possibly can. This also causes bugs since we don't take zapped-ness into account when determining whether or not a block is empty to free it. The incremental sweeper can then accidentally free blocks that it thinks are empty but are in fact zapped with still-live objects in them. * heap/MarkedBlock.h: (JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128262 268f45cc-cd09-0410-ab3c-d52691b4dbfc Change-Id: Ie304b8b475eb4912162853e154f99f824e74a52c --- Source/JavaScriptCore/ChangeLog | 17 +++++++++++++++++ Source/JavaScriptCore/heap/MarkedBlock.h | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog index 04dec83..281c4da 100644 --- a/Source/JavaScriptCore/ChangeLog +++ b/Source/JavaScriptCore/ChangeLog @@ -1,3 +1,20 @@ +2012-09-11 Mark Hahnenberg + + IncrementalSweeper should not sweep/free Zapped blocks + https://bugs.webkit.org/show_bug.cgi?id=96464 + + Reviewed by Filip Pizlo. + + This is not beneficial in terms of performance because there isn't any way a block can emerge + in the Zapped state from a call to Heap::collect() unless we run an eager sweep on it, in which + case we've already run all the destructors we possibly can. This also causes bugs since we don't + take zapped-ness into account when determining whether or not a block is empty to free it. The + incremental sweeper can then accidentally free blocks that it thinks are empty but are in fact + zapped with still-live objects in them. + + * heap/MarkedBlock.h: + (JSC::MarkedBlock::needsSweeping): It is only valid to sweep a block if it is in the Marked state. + 2013-03-11 Oliver Hunt Make SegmentedVector Noncopyable diff --git a/Source/JavaScriptCore/heap/MarkedBlock.h b/Source/JavaScriptCore/heap/MarkedBlock.h index ab2abd7..decd57b 100644 --- a/Source/JavaScriptCore/heap/MarkedBlock.h +++ b/Source/JavaScriptCore/heap/MarkedBlock.h @@ -413,7 +413,7 @@ namespace JSC { inline bool MarkedBlock::needsSweeping() { - return m_state == Marked || m_state == Zapped; + return m_state == Marked; } #if ENABLE(GGC) -- 2.7.4