[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
ggaren at apple.com
ggaren at apple.com
Mon Feb 21 00:32:51 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit e7414f91b3f5b2046f9bf2c23fbbf9fe9d00f759
Author: ggaren at apple.com <ggaren at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Feb 1 20:44:22 2011 +0000
2011-02-01 Geoffrey Garen <ggaren at apple.com>
Reviewed by Oliver Hunt.
REGRESSION(77082): GC-related crashes seen: on WebKit2 bot; on GTK 32bit
bot; loading trac pages; typing in search field
https://bugs.webkit.org/show_bug.cgi?id=53519
The crashes were all caused by failure to run an object's destructor.
* runtime/CollectorHeapIterator.h:
(JSC::ObjectIterator::ObjectIterator): Don't skip forward upon
construction. The iterator class used to do that when it was designed
for prior-to-beginning initialization. I forgot to remove this line
of code when I changed the iterator to normal initialization.
Skipping forward upon construction was causing the heap to skip running
the destructor for the very first object in a block when destroying the
block. This usually did not crash, since block destruction is rare and
most objects have pretty trivial destructors. However, in the rare case
when the heap would destroy a block whose first object was a global
object or a DOM node, BOOM.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77277 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 3357ddb..714535b 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,26 @@
+2011-02-01 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Oliver Hunt.
+
+ REGRESSION(77082): GC-related crashes seen: on WebKit2 bot; on GTK 32bit
+ bot; loading trac pages; typing in search field
+ https://bugs.webkit.org/show_bug.cgi?id=53519
+
+ The crashes were all caused by failure to run an object's destructor.
+
+ * runtime/CollectorHeapIterator.h:
+ (JSC::ObjectIterator::ObjectIterator): Don't skip forward upon
+ construction. The iterator class used to do that when it was designed
+ for prior-to-beginning initialization. I forgot to remove this line
+ of code when I changed the iterator to normal initialization.
+
+ Skipping forward upon construction was causing the heap to skip running
+ the destructor for the very first object in a block when destroying the
+ block. This usually did not crash, since block destruction is rare and
+ most objects have pretty trivial destructors. However, in the rare case
+ when the heap would destroy a block whose first object was a global
+ object or a DOM node, BOOM.
+
2011-01-31 Oliver Hunt <oliver at apple.com>
Reviewed by Geoffrey Garen.
diff --git a/Source/JavaScriptCore/runtime/CollectorHeapIterator.h b/Source/JavaScriptCore/runtime/CollectorHeapIterator.h
index 0801727..49f5f27 100644
--- a/Source/JavaScriptCore/runtime/CollectorHeapIterator.h
+++ b/Source/JavaScriptCore/runtime/CollectorHeapIterator.h
@@ -138,8 +138,6 @@ namespace JSC {
inline ObjectIterator::ObjectIterator(CollectorHeap& heap, size_t startBlock, size_t startCell)
: CollectorHeapIterator(heap, startBlock, startCell)
{
- if (isValid())
- ++(*this);
}
inline ObjectIterator& ObjectIterator::operator++()
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list