Bug 65326
| Summary: | Crash on exit due to TCMalloc_PageHeap::m_scavengeQueueTimer not being shutdown | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | michaelbraithwaite |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | UNCONFIRMED | ||
| Severity: | Major | CC: | barraclough, ggaren, mrowe |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | PC | ||
| OS: | Windows 7 | ||
michaelbraithwaite
This isn't from the nightly but with JSC from http://trac.webkit.org/browser/releases/WebKitGTK/webkit-1.4.2. (Perhaps an 'other' in Version would be handy?)
I get a crash on exit using JSC in a custom app.
It due to TCMalloc_PageHeap::m_scavengeQueueTimer not being shutdown.
If there is a timer scheduled when the app exits the timer event can occur after the TCMalloc_PageHeap context becomes invalid.
This crashes in CMalloc_PageHeap::scavengerTimerFired() since context passed in is garbage.
Locally I stopped this crash by calling suspendScavenger() but I'm unclear on where the correct place to stop it should be.
BTW DeleteTimerQueueTimer wont delete an already scheduled event - see http://msdn.microsoft.com/en-us/library/ms682569(v=vs.85).aspx.
so to avoid this edge case I also had to update TCMalloc_PageHeap::periodicScavenge() to avoid it rescheduling...
void TCMalloc_PageHeap::periodicScavenge()
{
SpinLockHolder h(&pageheap_lock);
pageheap->scavenge();
if (isScavengerSuspended() == false)
{
if (shouldScavenge()) {
rescheduleScavenger();
return;
}
suspendScavenger();
}
}
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Geoffrey Garen
<rdar://problem/9917798>