Changeset 216246 in webkit

Timestamp:

May 5, 2017, 9:14:49 AM (8 years ago)

Author:

mark.lam@apple.com

Message:

DRT's setAudioResultCallback() and IDBRequest::setResult() need to acquire the JSLock.
​https://bugs.webkit.org/show_bug.cgi?id=171716
<rdar://problem/30878027>

Reviewed by Saam Barati.

Source/WebCore:

No new tests. This issue was caught by existing tests.

IDBRequest::setResult() needs to acquire the JSLock before calling toJS() (which
does JS conversion and therefore, potentially JS allocations).

• Modules/indexeddb/IDBRequest.cpp:

(WebCore::IDBRequest::setResult):
(WebCore::IDBRequest::setResultToStructuredClone):

Tools:

setAudioResultCallback() needs to acquire the JSLock before calling toJS() (which
does JS conversion and therefore, potentially JS allocations) and accessing
methods of internal JS data structures (which may do JS invocation, etc).

• DumpRenderTree/TestRunner.cpp:

(setAudioResultCallback):

Location:

trunk

Files:

• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/Modules/indexeddb/IDBRequest.cpp (modified) (5 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/DumpRenderTree/TestRunner.cpp (modified) (1 diff)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-05-04  Mark Lam  <mark.lam@apple.com>
+
+        DRT's setAudioResultCallback() and IDBRequest::setResult() need to acquire the JSLock.
+        https://bugs.webkit.org/show_bug.cgi?id=171716
+        <rdar://problem/30878027>
+
+        Reviewed by Saam Barati.
+
+        No new tests.  This issue was caught by existing tests.
+
+        IDBRequest::setResult() needs to acquire the JSLock before calling toJS() (which
+        does JS conversion and therefore, potentially JS allocations).
+
+        * Modules/indexeddb/IDBRequest.cpp:
+        (WebCore::IDBRequest::setResult):
+        (WebCore::IDBRequest::setResultToStructuredClone):
+
 2017-05-05  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebCore/Modules/indexeddb/IDBRequest.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2015, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -371 +371 @@
     // FIXME: This conversion should be done lazily, when script needs the JSValues, so that global object
     // of the IDBRequest wrapper can be used, rather than the lexicalGlobalObject.
-    m_result = Result { JSC::Strong<JSC::Unknown> { context->vm(), toJS<IDLIDBKeyData>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), keyData) } };
+    VM& vm = context->vm();
+    JSLockHolder lock(vm);
+    m_result = Result { JSC::Strong<JSC::Unknown> { vm, toJS<IDLIDBKeyData>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), keyData) } };
 }
 
@@ -388 +390 @@
     // FIXME: This conversion should be done lazily, when script needs the JSValues, so that global object
     // of the IDBRequest wrapper can be used, rather than the lexicalGlobalObject.
-    Locker<JSLock> locker(context->vm().apiLock());
-    m_result = Result { JSC::Strong<JSC::Unknown> { context->vm(), toJS<IDLSequence<IDLIDBKeyData>>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), keyDatas) } };
+    VM& vm = context->vm();
+    JSLockHolder lock(vm);
+    m_result = Result { JSC::Strong<JSC::Unknown> { vm, toJS<IDLSequence<IDLIDBKeyData>>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), keyDatas) } };
 }
 
@@ -406 +409 @@
     // FIXME: This conversion should be done lazily, when script needs the JSValues, so that global object
     // of the IDBRequest wrapper can be used, rather than the lexicalGlobalObject.
-    Locker<JSLock> locker(context->vm().apiLock());
-    m_result = Result { JSC::Strong<JSC::Unknown> { context->vm(), toJS<IDLSequence<IDLIDBValue>>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), values) } };
+    VM& vm = context->vm();
+    JSLockHolder lock(vm);
+    m_result = Result { JSC::Strong<JSC::Unknown> { vm, toJS<IDLSequence<IDLIDBValue>>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), values) } };
 }
 
@@ -437 +441 @@
     // FIXME: This conversion should be done lazily, when script needs the JSValues, so that global object
     // of the IDBRequest wrapper can be used, rather than the lexicalGlobalObject.
-    m_result = Result { JSC::Strong<JSC::Unknown> { context->vm(), toJS<IDLIDBValue>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), value) } };
+    VM& vm = context->vm();
+    JSLockHolder lock(vm);
+    m_result = Result { JSC::Strong<JSC::Unknown> { vm, toJS<IDLIDBValue>(*state, *jsCast<JSDOMGlobalObject*>(state->lexicalGlobalObject()), value) } };
 }
 

trunk/Tools/ChangeLog

@@ +1 @@
+2017-05-04  Mark Lam  <mark.lam@apple.com>
+
+        DRT's setAudioResultCallback() and IDBRequest::setResult() need to acquire the JSLock.
+        https://bugs.webkit.org/show_bug.cgi?id=171716
+        <rdar://problem/30878027>
+
+        Reviewed by Saam Barati.
+
+        setAudioResultCallback() needs to acquire the JSLock before calling toJS() (which
+        does JS conversion and therefore, potentially JS allocations) and accessing
+        methods of internal JS data structures (which may do JS invocation, etc).
+
+        * DumpRenderTree/TestRunner.cpp:
+        (setAudioResultCallback):
+
 2017-05-05  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Tools/DumpRenderTree/TestRunner.cpp

@@ -348 +348 @@
 
     // FIXME (123058): Use a JSC API to get buffer contents once such is exposed.
-    JSC::JSArrayBufferView* jsBufferView = JSC::jsDynamicCast<JSC::JSArrayBufferView*>(toJS(context)->vm(), toJS(toJS(context), arguments[0]));
+    JSC::VM& vm = toJS(context)->vm();
+    JSC::JSLockHolder lock(vm);
+
+    JSC::JSArrayBufferView* jsBufferView = JSC::jsDynamicCast<JSC::JSArrayBufferView*>(vm, toJS(toJS(context), arguments[0]));
     ASSERT(jsBufferView);
     RefPtr<JSC::ArrayBufferView> bufferView = jsBufferView->unsharedImpl();