Bug 128202

Summary: Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: mitz
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 128203    
Bug Blocks:    
Attachments:
Description Flags
Patch ggaren: review+

Description Mark Hahnenberg 2014-02-04 12:08:10 PST 
This will require a data structure that doesn't use FastMalloc to record CodeBlocks during the stack scan. We already have something along these lines: MarkStackArray. It assumes it's only storing JSCells, but we could generalize it to serve more than one purpose.
Comment 1 Mark Hahnenberg 2014-02-04 18:35:16 PST 
Created attachment 223194 [details]
Patch
Comment 2 Mark Hahnenberg 2014-02-04 18:56:50 PST 
<rdar://problem/15980362>
Comment 3 Geoffrey Garen 2014-02-04 20:54:46 PST 
Comment on attachment 223194 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=223194&action=review

r=me

> Source/JavaScriptCore/heap/GCSegmentedArray.h:137
> +        if (!m_currentSegment)
> +            return *this;

This should be an ASSERT. It's undefined behavior to ++ past the end of an iterator.
Comment 4 Mark Hahnenberg 2014-02-05 09:27:17 PST 
Committed r163450: <http://trac.webkit.org/changeset/163450>