Specifically, in JSLock::willReleaseLock() and HeapTimer::timerDidFire(). Otherwise, there's no guarantee that the VM won't be deleted after the null check. Patch coming.
<rdar://problem/26129156>
Created attachment 279304 [details] proposed patch. Still need to run tests.
Attachment 279304 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/runtime/JSLock.cpp:180: 'vm' is incorrectly named. It should be named 'protector' or 'protectedVm'. [readability/naming/protected] [4] Total errors found: 1 in 4 files If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 279304 [details] proposed patch. Nice!
Comment on attachment 279304 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=279304&action=review > Source/JavaScriptCore/ChangeLog:3 > + Code that need to null check the VM pointer before use should ref the VM. I think this would be less confusing as "Code that null checks the VM pointer before any use should ref the VM."
Comment on attachment 279304 [details] proposed patch. r=me too.
(In reply to comment #5) > Comment on attachment 279304 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=279304&action=review > > > Source/JavaScriptCore/ChangeLog:3 > > + Code that need to null check the VM pointer before use should ref the VM. > > I think this would be less confusing as "Code that null checks the VM > pointer before any use should ref the VM." I'll make the change.
The patch has passed the layout tests and JSC tests on x86_64. I also did an ad hoc smoke test by running a few apps with it on ARM64.
Landed in r201180: <http://trac.webkit.org/r201180>.