Changeset 120143 in webkit

Timestamp:

Jun 12, 2012, 5:23:49 PM (13 years ago)

Author:

leo.yang@torchmobile.com.cn

Message:

Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
​https://bugs.webkit.org/show_bug.cgi?id=87334

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add a copy member function to JSC::HasTable. This function will copy all data
members except for *table* which contains thread specific data that prevents
up copying it. When you want to copy a JSC::HashTable that was constructed
on another thread you should call JSC::HashTable::copy().

• runtime/Lookup.h:

(JSC::HashTable::copy):
(HashTable):

Source/WebCore:

Adapt to JSC::HashTable::copy to avoid copy dynamic table member of a HashTable.
The dynamic table may be allocated on other thread and contains thread specific
identifiers. For example, a hash table of JSEntryArray was first initialized on a
worker thread, and then the user reloaded the page, another worker thread is
created due to reload, the dynamic allocated table in *staticTable* is specific
to the first worker thread which has died. If the user reload the page again,
the dynamic table will be freed and memory corruption will occur.

No functionalities changed, no new tests.

• bindings/js/DOMObjectHashTableMap.h:

(WebCore::DOMObjectHashTableMap::get):

Location:

trunk/Source

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/runtime/Lookup.h (modified) (1 diff)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/DOMObjectHashTableMap.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-06-12  Leo Yang  <leo.yang@torchmobile.com.cn>
+
+        Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
+        https://bugs.webkit.org/show_bug.cgi?id=87334
+
+        Reviewed by Geoffrey Garen.
+
+        Add a copy member function to JSC::HasTable. This function will copy all data
+        members except for *table* which contains thread specific data that prevents
+        up copying it. When you want to copy a JSC::HashTable that was constructed
+        on another thread you should call JSC::HashTable::copy().
+
+        * runtime/Lookup.h:
+        (JSC::HashTable::copy):
+        (HashTable):
+
 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/runtime/Lookup.h

@@ -115 +115 @@
         mutable const HashEntry* table; // Table allocated at runtime.
 
+        ALWAYS_INLINE HashTable copy() const
+        {
+            // Don't copy dynamic table since it's thread specific.
+            HashTable result = { compactSize, compactHashSizeMask, values, 0 };
+            return result;
+        }
+
         ALWAYS_INLINE void initializeIfNeeded(JSGlobalData* globalData) const
         {

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-06-12  Leo Yang  <leo.yang@torchmobile.com.cn>
+
+        Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
+        https://bugs.webkit.org/show_bug.cgi?id=87334
+
+        Reviewed by Geoffrey Garen.
+
+        Adapt to JSC::HashTable::copy to avoid copy dynamic table member of a HashTable.
+        The dynamic table may be allocated on other thread and contains thread specific
+        identifiers. For example, a hash table of JSEntryArray was first initialized on a
+        worker thread, and then the user reloaded the page, another worker thread is
+        created due to reload, the dynamic allocated table in *staticTable* is specific
+        to the first worker thread which has died. If the user reload the page again,
+        the dynamic table will be freed and memory corruption will occur.
+
+        No functionalities changed, no new tests.
+
+        * bindings/js/DOMObjectHashTableMap.h:
+        (WebCore::DOMObjectHashTableMap::get):
+
 2012-06-12  James Robinson  <jamesr@chromium.org>
 

trunk/Source/WebCore/bindings/js/DOMObjectHashTableMap.h

@@ -48 +48 @@
         if (iter != m_map.end())
             return &iter->second;
-        return &m_map.set(staticTable, JSC::HashTable(*staticTable)).iterator->second;
+        return &m_map.set(staticTable, staticTable->copy()).iterator->second;
     }