Bug 128202

Summary: Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: mitz
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 128203    
Bug Blocks:    
Attachments:
Description Flags
Patch ggaren: review+

Mark Hahnenberg
Reported 2014-02-04 12:08:10 PST
This will require a data structure that doesn't use FastMalloc to record CodeBlocks during the stack scan. We already have something along these lines: MarkStackArray. It assumes it's only storing JSCells, but we could generalize it to serve more than one purpose.
Attachments
Patch (7.41 KB, patch)
2014-02-04 18:35 PST, Mark Hahnenberg 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2014-02-04 18:35:16 PST
Created attachment 223194 [details] Patch
Mark Hahnenberg
Comment 2 2014-02-04 18:56:50 PST
<rdar://problem/15980362>
Geoffrey Garen
Comment 3 2014-02-04 20:54:46 PST
Comment on attachment 223194 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=223194&action=review r=me > Source/JavaScriptCore/heap/GCSegmentedArray.h:137 > + if (!m_currentSegment) > + return *this; This should be an ASSERT. It's undefined behavior to ++ past the end of an iterator.
Mark Hahnenberg
Comment 4 2014-02-05 09:27:17 PST
Committed r163450: <http://trac.webkit.org/changeset/163450>
Note You need to log in before you can comment on or make changes to this bug.