Created attachment 379691 [details] Patch

Comment on attachment 379691 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=379691&action=review > Source/JavaScriptCore/ChangeLog:11 > + We already hold the API lock in generateProgramBytecode/generateModuleBytecode, but we should also hold > + the API lock in the larger scope of the public methods in JSScript. Additionally, we should DeferGC as > + part of generateProgramBytecode/generateModuleBytecode, to ensure that the code generated is not collected > + before being serialized. is this definitely what's happening? Can we test it?

(In reply to Saam Barati from comment #2) > Comment on attachment 379691 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=379691&action=review > > > Source/JavaScriptCore/ChangeLog:11 > > + We already hold the API lock in generateProgramBytecode/generateModuleBytecode, but we should also hold > > + the API lock in the larger scope of the public methods in JSScript. Additionally, we should DeferGC as > > + part of generateProgramBytecode/generateModuleBytecode, to ensure that the code generated is not collected > > + before being serialized. > > is this definitely what's happening? Can we test it? I don't know whether this is actually happening in practice, but I believe the code was not correct before. I'll try to come up with a test, and will land as a follow up if I can reproduce the hypothetical crash.

<rdar://problem/55763630>