[SCM] WebKit Debian packaging branch, debian/experimental, updated. upstream/1.3.3-10851-g50815da

oliver at apple.com oliver at apple.com
Wed Dec 22 18:12:53 UTC 2010 

The following commit has been merged in the debian/experimental branch:
commit 6c35153fa2d33788d54cbdcf5b528f56a0f2cebd
Author: oliver at apple.com <oliver at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Wed Dec 8 21:44:38 2010 +0000

    2010-12-08  Oliver Hunt  <oliver at apple.com>
    
            Reviewed by Gavin Barraclough.
    
            Marking the active global object re-enters through markConservatively
            https://bugs.webkit.org/show_bug.cgi?id=50711
    
            draining of the MarkStack is not allowed to be re-entrant, we got away
            with this simply due to the logic in MarkStack::drain implicitly handling
            changes that could be triggered by the re-entry.
    
            Just to be safe this patch removes the re-entry through markConservatively
            so we don't accidentally introduce such an issue in future.  I've also
            added an assertion to catch such errors.
    
            * runtime/Collector.cpp:
            (JSC::Heap::markConservatively):
            (JSC::Heap::markCurrentThreadConservativelyInternal):
            (JSC::Heap::markOtherThreadConservatively):
            * runtime/JSArray.h:
            (JSC::MarkStack::drain):
            * runtime/MarkStack.h:
            (JSC::MarkStack::MarkStack):
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@73545 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 5feeb8d..fc9637c 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-12-08  Oliver Hunt  <oliver at apple.com>
+
+        Reviewed by Gavin Barraclough.
+
+        Marking the active global object re-enters through markConservatively
+        https://bugs.webkit.org/show_bug.cgi?id=50711
+
+        draining of the MarkStack is not allowed to be re-entrant, we got away
+        with this simply due to the logic in MarkStack::drain implicitly handling
+        changes that could be triggered by the re-entry.
+
+        Just to be safe this patch removes the re-entry through markConservatively
+        so we don't accidentally introduce such an issue in future.  I've also
+        added an assertion to catch such errors.
+
+        * runtime/Collector.cpp:
+        (JSC::Heap::markConservatively):
+        (JSC::Heap::markCurrentThreadConservativelyInternal):
+        (JSC::Heap::markOtherThreadConservatively):
+        * runtime/JSArray.h:
+        (JSC::MarkStack::drain):
+        * runtime/MarkStack.h:
+        (JSC::MarkStack::MarkStack):
+
 2010-12-08  Chris Marrin  <cmarrin at apple.com>
 
         Reviewed by Simon Fraser.
diff --git a/JavaScriptCore/runtime/Collector.cpp b/JavaScriptCore/runtime/Collector.cpp
index 3d8b583..09a5fa9 100644
--- a/JavaScriptCore/runtime/Collector.cpp
+++ b/JavaScriptCore/runtime/Collector.cpp
@@ -685,7 +685,6 @@ void Heap::markConservatively(MarkStack& markStack, void* start, void* end)
                 if (m_heap.collectorBlock(block) != blockAddr)
                     continue;
                 markStack.append(reinterpret_cast<JSCell*>(xAsBits));
-                markStack.drain();
             }
         }
     }
@@ -697,6 +696,7 @@ void NEVER_INLINE Heap::markCurrentThreadConservativelyInternal(MarkStack& markS
     void* stackPointer = &dummy;
     void* stackBase = currentThreadStackBase();
     markConservatively(markStack, stackPointer, stackBase);
+    markStack.drain();
 }
 
 #if COMPILER(GCC)
@@ -859,9 +859,11 @@ void Heap::markOtherThreadConservatively(MarkStack& markStack, Thread* thread)
 
     // mark the thread's registers
     markConservatively(markStack, static_cast<void*>(&regs), static_cast<void*>(reinterpret_cast<char*>(&regs) + regSize));
+    markStack.drain();
 
     void* stackPointer = otherThreadStackPointer(regs);
     markConservatively(markStack, stackPointer, thread->stackBase);
+    markStack.drain();
 
     resumeThread(thread->platformThread);
 }
diff --git a/JavaScriptCore/runtime/JSArray.h b/JavaScriptCore/runtime/JSArray.h
index 9e155d8..de28b65 100644
--- a/JavaScriptCore/runtime/JSArray.h
+++ b/JavaScriptCore/runtime/JSArray.h
@@ -222,6 +222,10 @@ namespace JSC {
 
     inline void MarkStack::drain()
     {
+#if !ASSERT_DISABLED
+        ASSERT(!m_isDraining);
+        m_isDraining = true;
+#endif
         while (!m_markSets.isEmpty() || !m_values.isEmpty()) {
             while (!m_markSets.isEmpty() && m_values.size() < 50) {
                 ASSERT(!m_markSets.isEmpty());
@@ -260,6 +264,9 @@ namespace JSC {
             while (!m_values.isEmpty())
                 markChildren(m_values.removeLast());
         }
+#if !ASSERT_DISABLED
+        m_isDraining = false;
+#endif
     }
 
     // Rule from ECMA 15.2 about what an array index is.
diff --git a/JavaScriptCore/runtime/MarkStack.h b/JavaScriptCore/runtime/MarkStack.h
index c3efc8f..be47fad 100644
--- a/JavaScriptCore/runtime/MarkStack.h
+++ b/JavaScriptCore/runtime/MarkStack.h
@@ -41,8 +41,9 @@ namespace JSC {
     public:
         MarkStack(void* jsArrayVPtr)
             : m_jsArrayVPtr(jsArrayVPtr)
-#ifndef NDEBUG
+#if !ASSERT_DISABLED
             , m_isCheckingForDefaultMarkViolation(false)
+            , m_isDraining(false)
 #endif
         {
         }
@@ -178,9 +179,10 @@ namespace JSC {
         MarkStackArray<JSCell*> m_values;
         static size_t s_pageSize;
 
-#ifndef NDEBUG
+#if !ASSERT_DISABLED
     public:
         bool m_isCheckingForDefaultMarkViolation;
+        bool m_isDraining;
 #endif
     };
 }

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list