Context Navigation

← Previous Changeset
Next Changeset →

Changeset 116575 in webkit

Timestamp:

May 9, 2012 4:56:05 PM (12 years ago)

Author:

barraclough@apple.com

Message:

GC race condition in OpaqueJSClass::prototype
https://bugs.webkit.org/show_bug.cgi?id=86034

Reviewed by Filip Pizlo.

The bug here is basically:

if (weakref) weakref->method()

where a GC may occur between the if & the method call.

API/JSClassRef.cpp:

(OpaqueJSClass::prototype):

Location:

trunk/Source/JavaScriptCore

Files:

: 2 edited

API/JSClassRef.cpp (modified) (1 diff)
ChangeLog (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/API/JSClassRef.cpp

-                      r115545
+                      r116575
     OpaqueJSClassContextData& jsClassData = contextData(exec);
+    if (!jsClassData.cachedPrototype) {
+        // Recursive, but should be good enough for our purposes
+        jsClassData.cachedPrototype = PassWeak<JSObject>(JSCallbackObject<JSNonFinalObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData), 0); // set jsClassData as the object's private data, so it can clear our reference on destruction
+        if (parentClass) {
+            if (JSObject* prototype = parentClass->prototype(exec))
+                jsClassData.cachedPrototype->setPrototype(exec->globalData(), prototype);
+        }
+    }
+    return jsClassData.cachedPrototype.get();
+}
+    if (JSObject* prototype = jsClassData.cachedPrototype.get())
+        return prototype;
+    // Recursive, but should be good enough for our purposes
+    prototype = JSCallbackObject<JSNonFinalObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction
+    if (parentClass) {
+        if (JSObject* parentPrototype = parentClass->prototype(exec))
+            prototype->setPrototype(exec->globalData(), parentPrototype);
+    }
+    jsClassData.cachedPrototype = PassWeak<JSObject>(prototype, 0);
+    return prototype;
+}

trunk/Source/JavaScriptCore/ChangeLog

-                      r116565
+                      r116575
+-05-09  Gavin Barraclough  <barraclough@apple.com>
+        GC race condition in OpaqueJSClass::prototype
+        https://bugs.webkit.org/show_bug.cgi?id=86034
+        Reviewed by Filip Pizlo.
+        The bug here is basically:
+            if (weakref) weakref->method()
+        where a GC may occur between the if & the method call.
+        * API/JSClassRef.cpp:
+        (OpaqueJSClass::prototype):
 -05-09  Mark Hahnenberg  <mhahnenberg@apple.com>

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 116575 in webkit

Legend:

trunk/Source/JavaScriptCore/API/JSClassRef.cpp

trunk/Source/JavaScriptCore/ChangeLog

Download in other formats: