Changeset 90273 in webkit


Ignore:
Timestamp:
Jul 1, 2011 1:45:52 PM (13 years ago)
Author:
oliver@apple.com
Message:

2011-07-01 Oliver Hunt <oliver@apple.com>

GC sweep can occur before an object is completely initialised
https://bugs.webkit.org/show_bug.cgi?id=63836

Reviewed by Gavin Barraclough.

In rare cases it's possible for a GC sweep to occur while a
live, but not completely initialised object is on the stack.
In such a case we may incorrectly choose to mark it, even
though it has no children that need marking.

We resolve this by always zeroing out the structure of any
value returned from JSCell::operator new(), and making the
markstack tolerant of a null structure.

  • runtime/JSCell.h: (JSC::JSCell::JSCell::~JSCell): (JSC::JSCell::JSCell::operator new):
  • runtime/Structure.h: (JSC::MarkStack::internalAppend):
Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r90268 r90273  
     12011-07-01  Oliver Hunt  <oliver@apple.com>
     2
     3        GC sweep can occur before an object is completely initialised
     4        https://bugs.webkit.org/show_bug.cgi?id=63836
     5
     6        Reviewed by Gavin Barraclough.
     7
     8        In rare cases it's possible for a GC sweep to occur while a
     9        live, but not completely initialised object is on the stack.
     10        In such a case we may incorrectly choose to mark it, even
     11        though it has no children that need marking.
     12
     13        We resolve this by always zeroing out the structure of any
     14        value returned from JSCell::operator new(), and making the
     15        markstack tolerant of a null structure.
     16
     17        * runtime/JSCell.h:
     18        (JSC::JSCell::JSCell::~JSCell):
     19        (JSC::JSCell::JSCell::operator new):
     20        * runtime/Structure.h:
     21        (JSC::MarkStack::internalAppend):
     22
    1232011-07-01  Filip Pizlo  <fpizlo@apple.com>
    224
  • trunk/Source/JavaScriptCore/runtime/JSCell.h

    r90241 r90273  
    187187    inline JSCell::~JSCell()
    188188    {
     189#if ENABLE(GC_VALIDATION)
     190        m_structure.clear();
     191#endif
    189192    }
    190193
     
    357360    inline void* JSCell::operator new(size_t size, JSGlobalData* globalData)
    358361    {
    359         return globalData->heap.allocate(size);
     362        JSCell* result = static_cast<JSCell*>(globalData->heap.allocate(size));
     363        result->m_structure.clear();
     364        return result;
    360365    }
    361366
    362367    inline void* JSCell::operator new(size_t size, ExecState* exec)
    363368    {
    364         return exec->heap()->allocate(size);
     369        JSCell* result = static_cast<JSCell*>(exec->heap()->allocate(size));
     370        result->m_structure.clear();
     371        return result;
    365372    }
    366373   
  • trunk/Source/JavaScriptCore/runtime/Structure.h

    r89077 r90273  
    303303        if (Heap::testAndSetMarked(cell))
    304304            return;
    305         if (cell->structure()->typeInfo().type() >= CompoundType)
     305        if (cell->structure() && cell->structure()->typeInfo().type() >= CompoundType)
    306306            m_values.append(cell);
    307307    }
Note: See TracChangeset for help on using the changeset viewer.