Bug 65326 - Crash on exit due to TCMalloc_PageHeap::m_scavengeQueueTimer not being shutdown
Summary: Crash on exit due to TCMalloc_PageHeap::m_scavengeQueueTimer not being shutdown
Status: UNCONFIRMED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows 7
: P2 Major
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2011-07-28 10:34 PDT by michaelbraithwaite
Modified: 2011-08-08 16:03 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description michaelbraithwaite 2011-07-28 10:34:17 PDT 
This isn't from the nightly but with JSC from http://trac.webkit.org/browser/releases/WebKitGTK/webkit-1.4.2. (Perhaps an 'other' in Version would be handy?)

I get a crash on exit using JSC in a custom app.

It due to TCMalloc_PageHeap::m_scavengeQueueTimer not being shutdown. 

If there is a timer scheduled when the app exits the timer event can occur after the TCMalloc_PageHeap context becomes invalid. 

This crashes in CMalloc_PageHeap::scavengerTimerFired() since context passed in is garbage.

Locally I stopped this crash by calling suspendScavenger() but I'm unclear on where the correct place to stop it should be.

BTW DeleteTimerQueueTimer wont delete an already scheduled event - see http://msdn.microsoft.com/en-us/library/ms682569(v=vs.85).aspx. 

so to avoid this edge case I also had to update TCMalloc_PageHeap::periodicScavenge() to avoid it rescheduling...

void TCMalloc_PageHeap::periodicScavenge()
{
    SpinLockHolder h(&pageheap_lock);
    pageheap->scavenge();

    if (isScavengerSuspended() == false)
    {    
        if (shouldScavenge()) {
            rescheduleScavenger();
            return;
        }

        suspendScavenger();
    }
}
Comment 1 Geoffrey Garen 2011-08-08 16:03:40 PDT 
<rdar://problem/9917798>