webkitgtk-2.4.9webkitgtk-2.4.9

1 files changed, 8 insertions, 3 deletions

diff --git a/Source/JavaScriptCore/heap/HandleSet.cpp b/Source/JavaScriptCore/heap/HandleSet.cpp
index dec8370eb..fdb554448 100644
--- a/Source/JavaScriptCore/heap/HandleSet.cpp
+++ b/Source/JavaScriptCore/heap/HandleSet.cpp
@@ -30,13 +30,14 @@
 #include "HandleBlockInlines.h"
 #include "HeapRootVisitor.h"
 #include "JSObject.h"
-#include "JSCInlines.h"
+#include "Operations.h"
 #include <wtf/DataLog.h>
 
 namespace JSC {
 
 HandleSet::HandleSet(VM* vm)
     : m_vm(vm)
+    , m_nextToFinalize(0)
 {
     grow();
 }
@@ -44,12 +45,12 @@ HandleSet::HandleSet(VM* vm)
 HandleSet::~HandleSet()
 {
     while (!m_blockList.isEmpty())
-        HandleBlock::destroy(m_blockList.removeHead());
+        m_vm->heap.blockAllocator().deallocate(HandleBlock::destroy(m_blockList.removeHead()));
 }
 
 void HandleSet::grow()
 {
-    HandleBlock* newBlock = HandleBlock::create(this);
+    HandleBlock* newBlock = HandleBlock::create(m_vm->heap.blockAllocator().allocate<HandleBlock>(), this);
     m_blockList.append(newBlock);
 
     for (int i = newBlock->nodeCapacity() - 1; i >= 0; --i) {
@@ -72,6 +73,10 @@ void HandleSet::visitStrongHandles(HeapRootVisitor& heapRootVisitor)
 
 void HandleSet::writeBarrier(HandleSlot slot, const JSValue& value)
 {
+    // Forbid assignment to handles during the finalization phase, since it would violate many GC invariants.
+    // File a bug with stack trace if you hit this.
+    RELEASE_ASSERT(!m_nextToFinalize);
+
     if (!value == !*slot && slot->isCell() == value.isCell())
         return;