Skip to content
Permalink
Browse files
JavaScriptCore garbage collection is missing an autorelease pool
https://bugs.webkit.org/show_bug.cgi?id=156751
<rdar://problem/25787802>

Reviewed by Mark Lam.

* heap/Heap.cpp:
(JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
catch autoreleases when we call out to arbitrary ObjC code.

We use the C interface here because this is not an ObjC compilation unit.


Canonical link: https://commits.webkit.org/174938@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199803 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
geoffreygaren committed Apr 21, 2016
1 parent 08ca506 commit 4ee24a314d410fca4cefad8eb519a2dd9c7bc057
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 6 deletions.
@@ -1,3 +1,17 @@
2016-04-20 Geoffrey Garen <ggaren@apple.com>

JavaScriptCore garbage collection is missing an autorelease pool
https://bugs.webkit.org/show_bug.cgi?id=156751
<rdar://problem/25787802>

Reviewed by Mark Lam.

* heap/Heap.cpp:
(JSC::Heap::releaseDelayedReleasedObjects): Add an autorelease pool to
catch autoreleases when we call out to arbitrary ObjC code.

We use the C interface here because this is not an ObjC compilation unit.

2016-04-20 Filip Pizlo <fpizlo@apple.com>

DFG del_by_id support forgets to set()
@@ -58,6 +58,13 @@
#include <wtf/ProcessID.h>
#include <wtf/RAMSize.h>

#if __has_include(<objc/objc-internal.h>)
#include <objc/objc-internal.h>
#else
extern "C" void* objc_autoreleasePoolPush(void);
extern "C" void objc_autoreleasePoolPop(void *context);
#endif

using namespace std;

namespace JSC {
@@ -355,7 +362,7 @@ Heap::Heap(VM* vm, HeapType heapType)
, m_sweeper(std::make_unique<IncrementalSweeper>(this))
#endif
, m_deferralDepth(0)
#if USE(CF)
#if USE(FOUNDATION)
, m_delayedReleaseRecursionCount(0)
#endif
, m_helperClient(&heapHelperPool())
@@ -393,7 +400,7 @@ void Heap::lastChanceToFinalize()

void Heap::releaseDelayedReleasedObjects()
{
#if USE(CF)
#if USE(FOUNDATION)
// We need to guard against the case that releasing an object can create more objects due to the
// release calling into JS. When those JS call(s) exit and all locks are being dropped we end up
// back here and could try to recursively release objects. We guard that with a recursive entry
@@ -411,7 +418,9 @@ void Heap::releaseDelayedReleasedObjects()
// We need to drop locks before calling out to arbitrary code.
JSLock::DropAllLocks dropAllLocks(m_vm);

void* context = objc_autoreleasePoolPush();
objectsToRelease.clear();
objc_autoreleasePoolPop(context);
}
}
}
@@ -236,8 +236,8 @@ class Heap {

CodeBlockSet& codeBlockSet() { return m_codeBlocks; }

#if USE(CF)
template<typename T> void releaseSoon(RetainPtr<T>&&);
#if USE(FOUNDATION)
template<typename T> void releaseSoon(RetainPtr<T>&&);
#endif

static bool isZombified(JSCell* cell) { return *(void**)cell == zombifiedBits; }
@@ -435,7 +435,8 @@ class Heap {
Vector<DFG::Worklist*> m_suspendedCompilerWorklists;

std::unique_ptr<HeapVerifier> m_verifier;
#if USE(CF)

#if USE(FOUNDATION)
Vector<RetainPtr<CFTypeRef>> m_delayedReleaseObjects;
unsigned m_delayedReleaseRecursionCount;
#endif
@@ -256,7 +256,7 @@ inline void Heap::ascribeOwner(JSCell* intendedOwner, void* storage)
#endif
}

#if USE(CF)
#if USE(FOUNDATION)
template <typename T>
inline void Heap::releaseSoon(RetainPtr<T>&& object)
{

0 comments on commit 4ee24a3

Please sign in to comment.