Summary: | scanSideState scans too much side state | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Samuel Groß <saelo> | ||||||
Component: | JavaScriptCore | Assignee: | Keith Miller <keith_miller> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | bfulgham, commit-queue, ews-feeder, fpizlo, keith_miller, mark.lam, product-security, rmorisset, saam, tsavell, tzagallo, webkit-bug-importer, ysuzuki | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Nightly Build | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Samuel Groß
2020-01-13 02:51:25 PST
Thanks for the report. I'll take a look. Created attachment 387551 [details]
Patch
Comment on attachment 387551 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=387551&action=review r=me too with comment. Who is initializing CheckpointOSRExitSideState tmps? Are all elements cleared (JSEmpty) when declaring it? Can we add default initializer to `tmps` field as, JSValue tmps[maxNumCheckpointTmps] { }; > Source/JavaScriptCore/ChangeLog:3 > + JSC: Crash during GC Let's rename the title. (In reply to Yusuke Suzuki from comment #4) > Comment on attachment 387551 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=387551&action=review > > r=me too with comment. > Who is initializing CheckpointOSRExitSideState tmps? Are all elements > cleared (JSEmpty) when declaring it? Can we add default initializer to > `tmps` field as, > > JSValue tmps[maxNumCheckpointTmps] { }; Currently, no one. I can do that though. > > > Source/JavaScriptCore/ChangeLog:3 > > + JSC: Crash during GC > > Let's rename the title. Done. Created attachment 387553 [details]
Patch for landing
Comment on attachment 387553 [details] Patch for landing Clearing flags on attachment: 387553 Committed r254491: <https://trac.webkit.org/changeset/254491> All reviewed patches have been landed. Closing bug. This change broke many tests on Debug with the new assertion. Tracked in https://bugs.webkit.org/show_bug.cgi?id=206229 |