This can cause some pathological memory usage. Patch on the way.
Created attachment 114626 [details] the patch
Attachment 114626 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1 Source/JavaScriptCore/ChangeLog:1: ChangeLog entry has no bug number [changelog/bugnumber] [5] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style.
Might be good to merge your new comment with the comment above, which (now) incorrectly ASSERTs that using a Vector is OK because the string will mark its fibers -- really, using a Vector is only OK because GC just won't happen. r=me
Comment on attachment 114626 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=114626&action=review > Source/JavaScriptCore/runtime/JSString.cpp:109 > + // Clearing here works only because there are no GC points in this method. Might be good to merge this with the comment above, which ASSERTs that using a Vector is OK -- really, using a Vector is only OK because GC just won't happen.
(In reply to comment #4) > (From update of attachment 114626 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=114626&action=review > > > Source/JavaScriptCore/runtime/JSString.cpp:109 > > + // Clearing here works only because there are no GC points in this method. > > Might be good to merge this with the comment above, which ASSERTs that using a Vector is OK -- really, using a Vector is only OK because GC just won't happen. Oh, heh, didn't even notice that comment. I've gone for two comments, one to say that it's OK to put them into the Vector (because there are no GC points) and another to say that it's OK to clear m_fibers (because there are no GC points). Figure that minimizes the chances of someone getting the wrong ideas.
Landed in http://trac.webkit.org/changeset/99927