Title: [119624] trunk/Source/WebCore
- Revision
- 119624
- Author
- [email protected]
- Date
- 2012-06-06 15:28:54 -0700 (Wed, 06 Jun 2012)
Log Message
Worker tear-down can re-enter JSC during GC finalization
https://bugs.webkit.org/show_bug.cgi?id=88449
Reviewed by Geoffrey Garen.
No new tests. Current regression tests cover these changes.
* workers/AbstractWorker.cpp:
(WebCore::AbstractWorker::~AbstractWorker): We don't need to call onDestroyWorker() here, it
will be called elsewhere in contextDestroyed().
* workers/WorkerMessagingProxy.cpp:
(WebCore::WorkerMessagingProxy::workerObjectDestroyed): We make the call to terminateWorkerContext()
and workerContextDestroyed() asynchronous to avoid entering JSC during GC finalization.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (119623 => 119624)
--- trunk/Source/WebCore/ChangeLog 2012-06-06 22:09:44 UTC (rev 119623)
+++ trunk/Source/WebCore/ChangeLog 2012-06-06 22:28:54 UTC (rev 119624)
@@ -1,3 +1,19 @@
+2012-06-06 Mark Hahnenberg <[email protected]>
+
+ Worker tear-down can re-enter JSC during GC finalization
+ https://bugs.webkit.org/show_bug.cgi?id=88449
+
+ Reviewed by Geoffrey Garen.
+
+ No new tests. Current regression tests cover these changes.
+
+ * workers/AbstractWorker.cpp:
+ (WebCore::AbstractWorker::~AbstractWorker): We don't need to call onDestroyWorker() here, it
+ will be called elsewhere in contextDestroyed().
+ * workers/WorkerMessagingProxy.cpp:
+ (WebCore::WorkerMessagingProxy::workerObjectDestroyed): We make the call to terminateWorkerContext()
+ and workerContextDestroyed() asynchronous to avoid entering JSC during GC finalization.
+
2012-06-06 Tony Chang <[email protected]>
webkit crashes on debug builds when running IETC flexbox-ordinal-group-001.htm
Modified: trunk/Source/WebCore/workers/AbstractWorker.cpp (119623 => 119624)
--- trunk/Source/WebCore/workers/AbstractWorker.cpp 2012-06-06 22:09:44 UTC (rev 119623)
+++ trunk/Source/WebCore/workers/AbstractWorker.cpp 2012-06-06 22:28:54 UTC (rev 119624)
@@ -53,7 +53,6 @@
AbstractWorker::~AbstractWorker()
{
- onDestroyWorker();
}
void AbstractWorker::onDestroyWorker()
Modified: trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp (119623 => 119624)
--- trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2012-06-06 22:09:44 UTC (rev 119623)
+++ trunk/Source/WebCore/workers/WorkerMessagingProxy.cpp 2012-06-06 22:28:54 UTC (rev 119624)
@@ -354,10 +354,12 @@
void WorkerMessagingProxy::workerObjectDestroyed()
{
m_workerObject = 0;
+ // These tasks must be done asynchronously because this function is called during finalization
+ // of JS wrappers for Workers and can cause re-entry in JS due to updating the Inspector.
if (m_workerThread)
- terminateWorkerContext();
+ workerContextClosed();
else
- workerContextDestroyedInternal();
+ workerContextDestroyed();
}
#if ENABLE(INSPECTOR)
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
