88449 – Worker tear-down can re-enter JSC during GC finalization

RESOLVED FIXED88449

Worker tear-down can re-enter JSC during GC finalization

https://bugs.webkit.org/show_bug.cgi?id=88449

Summary Worker tear-down can re-enter JSC during GC finalization

Mark Hahnenberg

Reported 2012-06-06 13:23:52 PDT

~AbstractWorker can enter JS during GC finalization due to attempting to update the Web Inspector when the worker is being torn down, which is not allowed by JSC. ~Worker has a similar story. Both of these should be fixed to prevent this.

Attachments
Patch (2.25 KB, patch) 2012-06-06 14:53 PDT, Mark Hahnenberg	no flags	Details Formatted Diff Diff
Patch (1.23 KB, patch) 2012-06-06 18:01 PDT, Mark Hahnenberg	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Mark Hahnenberg

Comment 1 2012-06-06 14:53:30 PDT

Created attachment 146116 [details] Patch

Mark Hahnenberg

Comment 2 2012-06-06 15:06:32 PDT

> ~AbstractWorker can enter JS during GC finalization due to attempting to update the Web Inspector when the worker is being torn down, which is not allowed by JSC. To make this more clear: ~AbstractWorker can re-enter JS during GC finalization, which is not allowed by JSC, due to attempting to update the Web Inspector when the worker is being torn down.

Geoffrey Garen

Comment 3 2012-06-06 15:21:17 PDT

Comment on attachment 146116 [details] Patch r=me

Mark Hahnenberg

Comment 4 2012-06-06 15:29:07 PDT

Committed r119624: <http://trac.webkit.org/changeset/119624>

Ryosuke Niwa

Comment 5 2012-06-06 16:59:40 PDT

A bunch of worker tests started crashing after this patch: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=fast%2Fworkers%2Fworker-event-listener.html%2Cfast%2Fworkers%2Fstorage%2Fchange-version-handle-reuse-worker.html%2Chttp%2Ftests%2Fhistory%2Fback-during-onload-triggered-by-back.html%2Cfast%2Fworkers%2Fstorage%2Fread-and-write-transactions-dont-run-together.html

WebKit Review Bot

Comment 6 2012-06-06 17:04:40 PDT

Re-opened since this is blocked by 88472

Mark Hahnenberg

Comment 7 2012-06-06 18:01:39 PDT

Created attachment 146165 [details] Patch

Mark Hahnenberg

Comment 8 2012-06-06 18:02:11 PDT

Let's try landing each piece of the patch separately to determine which half caused the regression. I think this first patch is the safer of the two.

Geoffrey Garen

Comment 9 2012-06-07 11:11:18 PDT

Comment on attachment 146165 [details] Patch r=me

WebKit Review Bot

Comment 10 2012-06-07 11:32:08 PDT

Comment on attachment 146165 [details] Patch Clearing flags on attachment: 146165 Committed r119740: <http://trac.webkit.org/changeset/119740>

WebKit Review Bot

Comment 11 2012-06-07 11:32:13 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore JavaScript

Assignee

Mark Hahnenberg

Reported

2012-06-06 13:23 PDT

Modified

2012-06-07 11:32 PDT History

CC List

5 users Show

URL

Keywords

Depends on

88472

Blocks

Dependencies

tree graph