Changeset 106185 in webkit

Timestamp:

Jan 28, 2012 2:18:32 AM (12 years ago)

Author:

fpizlo@apple.com

Message:

GC invoked while doing an old JIT property storage reallocation may lead
to an object that refers to a dead structure
​https://bugs.webkit.org/show_bug.cgi?id=77273
<rdar://problem/10770565>

Reviewed by Gavin Barraclough.

The put_by_id transition was already saving the old structure by virtue of
having the object on the stack, so that wasn't going to get deleted. But the
new structure was unprotected in the transition. I've now changed the
transition code to save the new structure, ensuring that the GC will know it
to be marked if invoked from within put_by_id_transition_realloc.

• jit/JITPropertyAccess.cpp:

(JSC::JIT::privateCompilePutByIdTransition):

• jit/JITPropertyAccess32_64.cpp:

(JSC::JIT::privateCompilePutByIdTransition):

• jit/JITStubs.cpp:

(JSC::DEFINE_STUB_FUNCTION):

• jit/JITStubs.h:

(JSC):
():

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• jit/JITPropertyAccess.cpp (modified) (1 diff)
• jit/JITPropertyAccess32_64.cpp (modified) (1 diff)
• jit/JITStubs.cpp (modified) (1 diff)
• jit/JITStubs.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-01-28  Filip Pizlo  <fpizlo@apple.com>
+
+        GC invoked while doing an old JIT property storage reallocation may lead
+        to an object that refers to a dead structure
+        https://bugs.webkit.org/show_bug.cgi?id=77273
+        <rdar://problem/10770565>
+
+        Reviewed by Gavin Barraclough.
+        
+        The put_by_id transition was already saving the old structure by virtue of
+        having the object on the stack, so that wasn't going to get deleted. But the
+        new structure was unprotected in the transition. I've now changed the
+        transition code to save the new structure, ensuring that the GC will know it
+        to be marked if invoked from within put_by_id_transition_realloc.
+
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::privateCompilePutByIdTransition):
+        * jit/JITPropertyAccess32_64.cpp:
+        (JSC::JIT::privateCompilePutByIdTransition):
+        * jit/JITStubs.cpp:
+        (JSC::DEFINE_STUB_FUNCTION):
+        * jit/JITStubs.h:
+        (JSC):
+        ():
+
 2012-01-27  Sheriff Bot  <webkit.review.bot@gmail.com>
 

trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp

@@ -549 +549 @@
         stubCall.skipArgument(); // value
         stubCall.addArgument(TrustedImm32(oldStructure->propertyStorageCapacity()));
-        stubCall.addArgument(TrustedImm32(newStructure->propertyStorageCapacity()));
+        stubCall.addArgument(TrustedImmPtr(newStructure));
         stubCall.call(regT0);
         emitGetJITStubArg(2, regT1);

trunk/Source/JavaScriptCore/jit/JITPropertyAccess32_64.cpp

@@ -518 +518 @@
         stubCall.skipArgument(); // value
         stubCall.addArgument(TrustedImm32(oldStructure->propertyStorageCapacity()));
-        stubCall.addArgument(TrustedImm32(newStructure->propertyStorageCapacity()));
+        stubCall.addArgument(TrustedImmPtr(newStructure));
         stubCall.call(regT0);
 

trunk/Source/JavaScriptCore/jit/JITStubs.cpp

@@ -1491 +1491 @@
     JSValue baseValue = stackFrame.args[0].jsValue();
     int32_t oldSize = stackFrame.args[3].int32();
-    int32_t newSize = stackFrame.args[4].int32();
+    Structure* newStructure = stackFrame.args[4].structure();
+    int32_t newSize = newStructure->propertyStorageCapacity();
 
     ASSERT(baseValue.isObject());

trunk/Source/JavaScriptCore/jit/JITStubs.h

@@ -60 +60 @@
     class RegisterFile;
     class RegExp;
+    class Structure;
 
     template <typename T> class Weak;
@@ -79 +80 @@
         JSGlobalObject* globalObject() { return static_cast<JSGlobalObject*>(asPointer); }
         JSString* jsString() { return static_cast<JSString*>(asPointer); }
+        Structure* structure() { return static_cast<Structure*>(asPointer); }
         ReturnAddressPtr returnAddress() { return ReturnAddressPtr(asPointer); }
     };