Even after the fix for bug 186223, there are code paths that can leave ScratchBuffers with non-zero activeLength(), which can potentially cause things to be GC roots via the conservative scan. We should just set the activeLength of all scratch buffers to zero when leaving VM entry scope.
<rdar://problem/40780738>
Patch forthcoming
Created attachment 341922 [details] patch
Comment on attachment 341922 [details] patch r=me.
Keith mentioned doing this in a follow-up: https://bugs.webkit.org/show_bug.cgi?id=186292
Created attachment 341940 [details] patch for landing
Comment on attachment 341940 [details] patch for landing Clearing flags on attachment: 341940 Committed r232490: <https://trac.webkit.org/changeset/232490>
All reviewed patches have been landed. Closing bug.
Under what conditions do we enter the garbage collector with a live scratch buffer? OSR exit with object re-materialization, maybe? Just wondering why we need to mark scratch buffers at all...
(In reply to Geoffrey Garen from comment #9) > Under what conditions do we enter the garbage collector with a live scratch > buffer? OSR exit with object re-materialization, maybe? Just wondering why > we need to mark scratch buffers at all... There are probably more cases than that. Some quick grepping: - OSR entry in loops and catch. I guess it's non-obvious if we need contents marked here. - Array push with > 1 argument - NewArray - NewArrayWithSpread - OSR exit as you said