[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-9427-gc2be6fc

oliver at apple.com oliver at apple.com
Wed Dec 22 13:29:38 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 83d143d7831b0d86ebb4e0728272215497378bbd
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Sep 17 01:18:30 2010 +0000

    2010-09-16  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Geoffrey Garen.
    
            Crash due to timer triggered GC on one heap while another heap is active
            https://bugs.webkit.org/show_bug.cgi?id=45932
            <rdar://problem/8318446>
    
            The GC timer may trigger for one heap while another heap is active.  This
            is safe, but requires us to ensure that we have temporarily associated the
            thread's identifierTable with the heap we're collecting on.  Otherwise we
            may end up with the identifier tables in an inconsistent state leading to
            an eventual crash.
    
            * runtime/Collector.cpp:
            (JSC::Heap::allocate):
            (JSC::Heap::reset):
            (JSC::Heap::collectAllGarbage):
               Add assertions to ensure we have the correct identifierTable active
               while collecting.
            * runtime/GCActivityCallbackCF.cpp:
            (JSC::DefaultGCActivityCallbackPlatformData::trigger):
               Temporarily make the expected IdentifierTable active
            * wtf/WTFThreadData.h:
            (JSC::IdentifierTable::remove):
               Make it possible to see when IdentifierTable::remove has succeeded
            * wtf/text/StringImpl.cpp:
            (WTF::StringImpl::~StringImpl):
               CRASH if an StringImpl is an Identifier but isn't present in the
               active IdentifierTable.  If we get to this state something has
               gone wrong and we should just crash immediately.
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@67683 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 1a3d4bd..1b55290 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,35 @@
+2010-09-16  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Geoffrey Garen.
+
+        Crash due to timer triggered GC on one heap while another heap is active
+        https://bugs.webkit.org/show_bug.cgi?id=45932
+        <rdar://problem/8318446>
+
+        The GC timer may trigger for one heap while another heap is active.  This
+        is safe, but requires us to ensure that we have temporarily associated the
+        thread's identifierTable with the heap we're collecting on.  Otherwise we
+        may end up with the identifier tables in an inconsistent state leading to
+        an eventual crash.
+
+        * runtime/Collector.cpp:
+        (JSC::Heap::allocate):
+        (JSC::Heap::reset):
+        (JSC::Heap::collectAllGarbage):
+           Add assertions to ensure we have the correct identifierTable active
+           while collecting.
+        * runtime/GCActivityCallbackCF.cpp:
+        (JSC::DefaultGCActivityCallbackPlatformData::trigger):
+           Temporarily make the expected IdentifierTable active
+        * wtf/WTFThreadData.h:
+        (JSC::IdentifierTable::remove):
+           Make it possible to see when IdentifierTable::remove has succeeded
+        * wtf/text/StringImpl.cpp:
+        (WTF::StringImpl::~StringImpl):
+           CRASH if an StringImpl is an Identifier but isn't present in the
+           active IdentifierTable.  If we get to this state something has
+           gone wrong and we should just crash immediately.
+
 2010-09-16  Martin Robinson  <mrobinson at igalia.com>
 
         Reviewed by Xan Lopez.
diff --git a/JavaScriptCore/runtime/Collector.cpp b/JavaScriptCore/runtime/Collector.cpp
index 4a81913..93b91bb 100644
--- a/JavaScriptCore/runtime/Collector.cpp
+++ b/JavaScriptCore/runtime/Collector.cpp
@@ -43,6 +43,7 @@
 #include <stdlib.h>
 #include <wtf/FastMalloc.h>
 #include <wtf/HashCountedSet.h>
+#include <wtf/WTFThreadData.h>
 #include <wtf/UnusedParam.h>
 #include <wtf/VMTags.h>
 
@@ -298,6 +299,7 @@ void Heap::recordExtraCost(size_t cost)
 
 void* Heap::allocate(size_t s)
 {
+    ASSERT(globalData()->identifierTable == wtfThreadData().currentIdentifierTable());
     typedef HeapConstants::Block Block;
     typedef HeapConstants::Cell Cell;
     
@@ -1189,6 +1191,7 @@ bool Heap::isBusy()
 
 void Heap::reset()
 {
+    ASSERT(globalData()->identifierTable == wtfThreadData().currentIdentifierTable());
     JAVASCRIPTCORE_GC_BEGIN();
 
     markRoots();
@@ -1211,6 +1214,7 @@ void Heap::reset()
 
 void Heap::collectAllGarbage()
 {
+    ASSERT(globalData()->identifierTable == wtfThreadData().currentIdentifierTable());
     JAVASCRIPTCORE_GC_BEGIN();
 
     // If the last iteration through the heap deallocated blocks, we need
diff --git a/JavaScriptCore/runtime/GCActivityCallbackCF.cpp b/JavaScriptCore/runtime/GCActivityCallbackCF.cpp
index 06d4210..45329ca 100644
--- a/JavaScriptCore/runtime/GCActivityCallbackCF.cpp
+++ b/JavaScriptCore/runtime/GCActivityCallbackCF.cpp
@@ -29,9 +29,12 @@
 #include "config.h"
 #include "GCActivityCallback.h"
 
+#include "APIShims.h"
 #include "Collector.h"
+#include "JSGlobalData.h"
 #include "JSLock.h"
 #include <wtf/RetainPtr.h>
+#include <wtf/WTFThreadData.h>
 #include <CoreFoundation/CoreFoundation.h>
 
 #if !PLATFORM(CF)
@@ -52,8 +55,7 @@ const CFTimeInterval decade = 60 * 60 * 24 * 365 * 10;
 void DefaultGCActivityCallbackPlatformData::trigger(CFRunLoopTimerRef, void *info)
 {
     Heap* heap = static_cast<Heap*>(info);
-    JSLock lock(heap->globalData());
-
+    APIEntryShim shim(heap->globalData());
     heap->collectAllGarbage();
 }
 
diff --git a/JavaScriptCore/wtf/WTFThreadData.h b/JavaScriptCore/wtf/WTFThreadData.h
index 20ffaca..7f91e1a 100644
--- a/JavaScriptCore/wtf/WTFThreadData.h
+++ b/JavaScriptCore/wtf/WTFThreadData.h
@@ -59,7 +59,14 @@ public:
     template<typename U, typename V>
     std::pair<HashSet<StringImpl*>::iterator, bool> add(U value);
 
-    void remove(StringImpl* r) { m_table.remove(r); }
+    bool remove(StringImpl* r)
+    {
+        HashSet<StringImpl*>::iterator iter = m_table.find(r);
+        if (iter == m_table.end())
+            return false;
+        m_table.remove(iter);
+        return true;
+    }
 
     LiteralIdentifierTable& literalTable() { return m_literalTable; }
 
diff --git a/JavaScriptCore/wtf/text/StringImpl.cpp b/JavaScriptCore/wtf/text/StringImpl.cpp
index a667525..7822c00 100644
--- a/JavaScriptCore/wtf/text/StringImpl.cpp
+++ b/JavaScriptCore/wtf/text/StringImpl.cpp
@@ -48,8 +48,10 @@ StringImpl::~StringImpl()
     if (isAtomic())
         AtomicString::remove(this);
 #if USE(JSC)
-    if (isIdentifier())
-        wtfThreadData().currentIdentifierTable()->remove(this);
+    if (isIdentifier()) {
+        if (!wtfThreadData().currentIdentifierTable()->remove(this))
+            CRASH();
+    }
 #endif
 
     BufferOwnership ownership = bufferOwnership();

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list