187157 – IsoCellSet::sweepToFreeList() not safe when Full GC in process

Bug 187157 - IsoCellSet::sweepToFreeList() not safe when Full GC in process

Summary: IsoCellSet::sweepToFreeList() not safe when Full GC in process

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-06-28 14:33 PDT by Michael Saboff
Modified:	2018-06-28 20:27 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (2.95 KB, patch) 2018-06-28 15:52 PDT, Michael Saboff	mark.lam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2018-06-28 14:33:06 PDT

If we are in the process of a full GC and we call into IsoCellSet::sweepToFreeList(), the IsoCellSet's bits may be improperly cleared due to incomplete stale marks logic.  The stale marks logic needs to match what is in MarkedBlock::Handle::specializedSweep where it takes into account whether or not we are in the process of marking during a full GC.

Comment 1 Michael Saboff 2018-06-28 14:33:27 PDT

<rdar://problem/41400293>

Comment 2 Michael Saboff 2018-06-28 15:52:45 PDT

Created attachment 343866 [details]
Patch

Comment 3 Mark Lam 2018-06-28 16:00:14 PDT

Comment on attachment 343866 [details]
Patch

r=me

Comment 4 Michael Saboff 2018-06-28 20:27:30 PDT

Committed r233346: <https://trac.webkit.org/changeset/233346>