Title: [248337] trunk/Source/_javascript_Core
- Revision
- 248337
- Author
- ysuz...@apple.com
- Date
- 2019-08-06 19:48:07 -0700 (Tue, 06 Aug 2019)
Log Message
[JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values
https://bugs.webkit.org/show_bug.cgi?id=200494
Reviewed by Saam Barati.
The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>.
But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm.
This patch filters out these values with `HashSet<Callee*>::isValidValue`.
* wasm/WasmCalleeRegistry.h:
(JSC::Wasm::CalleeRegistry::isValidCallee):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (248336 => 248337)
--- trunk/Source/_javascript_Core/ChangeLog 2019-08-07 01:44:55 UTC (rev 248336)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-08-07 02:48:07 UTC (rev 248337)
@@ -1,3 +1,17 @@
+2019-08-06 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] sampling-profiler can see garbage Wasm::Callee* pointer which is HashTable deleted / empty values
+ https://bugs.webkit.org/show_bug.cgi?id=200494
+
+ Reviewed by Saam Barati.
+
+ The sampling-profiler can see a garbage pointer which is like Wasm::Callee*. This can be filtered by HashSet<Callee*>.
+ But this is safe only when the garbage pointer is not deleted / empty values. We saw occasional crash with JetStream2/tsf-wasm.
+ This patch filters out these values with `HashSet<Callee*>::isValidValue`.
+
+ * wasm/WasmCalleeRegistry.h:
+ (JSC::Wasm::CalleeRegistry::isValidCallee):
+
2019-08-06 Commit Queue <commit-qu...@webkit.org>
Unreviewed, rolling out r248289.
Modified: trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h (248336 => 248337)
--- trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h 2019-08-07 01:44:55 UTC (rev 248336)
+++ trunk/Source/_javascript_Core/wasm/WasmCalleeRegistry.h 2019-08-07 02:48:07 UTC (rev 248337)
@@ -62,6 +62,8 @@
bool isValidCallee(const AbstractLocker&, Callee* callee)
{
+ if (!HashSet<Callee*>::isValidValue(callee))
+ return false;
return m_calleeSet.contains(callee);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes