JavaScriptCore: REGRESSION (52082): Crash on worker thread when reloading http:/...
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jan 2010 08:39:04 +0000 (08:39 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 19 Jan 2010 08:39:04 +0000 (08:39 +0000)
commitcaad9640cbaed70a772d569ac06c8cb70455920d
tree1acbd2d08fd9cb90497890927582985b085476ee
parentafe437b669a9b7ea60346145cb6749fbbd43e74c
JavaScriptCore: REGRESSION (52082): Crash on worker thread when reloading radnan.public.iastate.edu/procedural/
https://bugs.webkit.org/show_bug.cgi?id=33826

Reviewed by Oliver Hunt.

This bug was caused by a GC-protected object being destroyed early by
Heap::destroy. Clients of the GC protect APIs (reasonably) expect pointers
to GC-protected memory to be valid.

The solution is to do two passes of tear-down in Heap::destroy. The first
pass tears down all unprotected objects. The second pass ASSERTs that all
previously protected objects are now unprotected, and then tears down
all perviously protected objects. These two passes simulate the two passes
that would have been required to free a protected object during normal GC.

* API/JSContextRef.cpp: Removed some ASSERTs that have moved into Heap.

* runtime/Collector.cpp:
(JSC::Heap::destroy): Moved ASSERTs to here.
(JSC::Heap::freeBlock): Tidied up the use of didShrink by moving its
setter to the function that does the shrinking.
(JSC::Heap::freeBlocks): Implemented above algorithm.
(JSC::Heap::shrinkBlocks): Tidied up the use of didShrink.

WebCore: REGRESSION (52082): Crash on worker thread when reloading http://radnan.public.iastate.edu/procedural/
https://bugs.webkit.org/show_bug.cgi?id=33826

Reviewed by Oliver Hunt.

Test: fast/workers/worker-gc2.html

* bindings/js/WorkerScriptController.cpp:
(WebCore::WorkerScriptController::~WorkerScriptController): Removed some
ASSERTs that have moved to JavaScriptCore.

LayoutTests: REGRESSION (52082): Crash on worker thread when reloading http://radnan.public.iastate.edu/procedural/
https://bugs.webkit.org/show_bug.cgi?id=33826

Reviewed by Oliver Hunt.

Added a test for this edge case.

* fast/workers/resources/worker-gc2.js: Added.
(Dummy):
* fast/workers/worker-gc2.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@53460 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JavaScriptCore/API/JSContextRef.cpp
JavaScriptCore/ChangeLog
JavaScriptCore/jsc.cpp
JavaScriptCore/runtime/Collector.cpp
LayoutTests/ChangeLog
LayoutTests/fast/workers/resources/worker-gc2.js [new file with mode: 0644]
LayoutTests/fast/workers/worker-gc2.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/bindings/js/WorkerScriptController.cpp