128202 – Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden

Bug 128202 - Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden

Summary: Malloc called beneath MachineThreads::gatherFromOtherThread(), while forbidden

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:	InRadar

Depends on:	128203
Blocks:
	Show dependency tree / graph

Reported:	2014-02-04 12:08 PST by Mark Hahnenberg
Modified:	2014-02-05 09:32 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Patch (7.41 KB, patch) 2014-02-04 18:35 PST, Mark Hahnenberg	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2014-02-04 12:08:10 PST

This will require a data structure that doesn't use FastMalloc to record CodeBlocks during the stack scan. We already have something along these lines: MarkStackArray. It assumes it's only storing JSCells, but we could generalize it to serve more than one purpose.

Comment 1 Mark Hahnenberg 2014-02-04 18:35:16 PST

Created attachment 223194 [details]
Patch

Comment 2 Mark Hahnenberg 2014-02-04 18:56:50 PST

<rdar://problem/15980362>

Comment 3 Geoffrey Garen 2014-02-04 20:54:46 PST

Comment on attachment 223194 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=223194&action=review

r=me

> Source/JavaScriptCore/heap/GCSegmentedArray.h:137
> +        if (!m_currentSegment)
> +            return *this;

This should be an ASSERT. It's undefined behavior to ++ past the end of an iterator.

Comment 4 Mark Hahnenberg 2014-02-05 09:27:17 PST

Committed r163450: <http://trac.webkit.org/changeset/163450>