JavaScriptCore garbage collection is missing an autorelease pool

https://bugs.webkit.org/show_bug.cgi?id=156751 <rdar://problem/25787802> Reviewed by Mark Lam. * heap/Heap.cpp: (JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to catch autoreleases when we call out to arbitrary ObjC code. We use the C interface here because this is not an ObjC compilation unit. Canonical link: https://commits.webkit.org/174938@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199803 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Apr 21, 2016 · 4ee24a314d410fca4cefad8eb519a2dd9c7bc057 · 4ee24a3
1 parent 08ca506
commit 4ee24a314d410fca4cefad8eb519a2dd9c7bc057
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 6 deletions.
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2016-04-20  Geoffrey Garen  <ggaren@apple.com>
+
+        JavaScriptCore garbage collection is missing an autorelease pool
+        https://bugs.webkit.org/show_bug.cgi?id=156751
+        <rdar://problem/25787802>
+
+        Reviewed by Mark Lam.
+
+        * heap/Heap.cpp:
+        (JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
+        catch autoreleases when we call out to arbitrary ObjC code.
+
+        We use the C interface here because this is not an ObjC compilation unit.
+
 2016-04-20  Filip Pizlo  <fpizlo@apple.com>
 
         DFG del_by_id support forgets to set()

diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
@@ -58,6 +58,13 @@
 #include <wtf/ProcessID.h>
 #include <wtf/RAMSize.h>
 
+#if __has_include(<objc/objc-internal.h>)
+#include <objc/objc-internal.h>
+#else
+extern "C" void* objc_autoreleasePoolPush(void);
+extern "C" void objc_autoreleasePoolPop(void *context);
+#endif
+
 using namespace std;
 
 namespace JSC {
@@ -355,7 +362,7 @@ Heap::Heap(VM* vm, HeapType heapType)
     , m_sweeper(std::make_unique<IncrementalSweeper>(this))
 #endif
     , m_deferralDepth(0)
-#if USE(CF)
+#if USE(FOUNDATION)
     , m_delayedReleaseRecursionCount(0)
 #endif
     , m_helperClient(&heapHelperPool())
@@ -393,7 +400,7 @@ void Heap::lastChanceToFinalize()
 
 void Heap::releaseDelayedReleasedObjects()
 {
-#if USE(CF)
+#if USE(FOUNDATION)
     // We need to guard against the case that releasing an object can create more objects due to the
     // release calling into JS. When those JS call(s) exit and all locks are being dropped we end up
     // back here and could try to recursively release objects. We guard that with a recursive entry
@@ -411,7 +418,9 @@ void Heap::releaseDelayedReleasedObjects()
                 // We need to drop locks before calling out to arbitrary code.
                 JSLock::DropAllLocks dropAllLocks(m_vm);
 
+                void* context = objc_autoreleasePoolPush();
                 objectsToRelease.clear();
+                objc_autoreleasePoolPop(context);
             }
         }
     }

diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
@@ -236,8 +236,8 @@ class Heap {
 
     CodeBlockSet& codeBlockSet() { return m_codeBlocks; }
 
-#if USE(CF)
-        template<typename T> void releaseSoon(RetainPtr<T>&&);
+#if USE(FOUNDATION)
+    template<typename T> void releaseSoon(RetainPtr<T>&&);
 #endif
 
     static bool isZombified(JSCell* cell) { return *(void**)cell == zombifiedBits; }
@@ -435,7 +435,8 @@ class Heap {
     Vector<DFG::Worklist*> m_suspendedCompilerWorklists;
 
     std::unique_ptr<HeapVerifier> m_verifier;
-#if USE(CF)
+
+#if USE(FOUNDATION)
     Vector<RetainPtr<CFTypeRef>> m_delayedReleaseObjects;
     unsigned m_delayedReleaseRecursionCount;
 #endif

diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
@@ -256,7 +256,7 @@ inline void Heap::ascribeOwner(JSCell* intendedOwner, void* storage)
 #endif
 }
 
-#if USE(CF)
+#if USE(FOUNDATION)
 template <typename T>
 inline void Heap::releaseSoon(RetainPtr<T>&& object)
 {