Skip to site navigation (Press enter)

[webkit-changes] [248337] trunk/Source/JavaScriptCore

ysuzuki Tue, 06 Aug 2019 19:51:53 -0700

Title: [248337] trunk/Source/_javascript_Core

Revision: 248337
Author: ysuz...@apple.com
Date: 2019-08-06 19:48:07 -0700 (Tue, 06 Aug 2019)

Log Message

[JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values
https://bugs.webkit.org/show_bug.cgi?id=200494


Reviewed by Saam Barati.

The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>.
But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm.
This patch filters out these values with `HashSet<Callee*>::isValidValue`.

* wasm/WasmCalleeRegistry.h:
(JSC::Wasm::CalleeRegistry::isValidCallee):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (248336 => 248337)


--- trunk/Source/_javascript_Core/ChangeLog	2019-08-07 01:44:55 UTC (rev 248336)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-08-07 02:48:07 UTC (rev 248337)
@@ -1,3 +1,17 @@
+2019-08-06  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values
+        https://bugs.webkit.org/show_bug.cgi?id=200494
+
+        Reviewed by Saam Barati.
+
+        The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>.
+        But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm.
+        This patch filters out these values with `HashSet<Callee*>::isValidValue`.
+
+        * wasm/WasmCalleeRegistry.h:
+        (JSC::Wasm::CalleeRegistry::isValidCallee):
+
 2019-08-06  Commit Queue  <commit-qu...@webkit.org>
 
         Unreviewed, rolling out r248289.

Modified: trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h (248336 => 248337)


--- trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h	2019-08-07 01:44:55 UTC (rev 248336)
+++ trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h	2019-08-07 02:48:07 UTC (rev 248337)
@@ -62,6 +62,8 @@
 
     bool isValidCallee(const AbstractLocker&, Callee* callee)
     {
+        if (!HashSet<Callee*>::isValidValue(callee))
+            return false;
         return m_calleeSet.contains(callee);
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes