Title: [90273] trunk/Source/_javascript_Core
- Revision
- 90273
- Author
- [email protected]
- Date
- 2011-07-01 13:45:52 -0700 (Fri, 01 Jul 2011)
Log Message
2011-07-01 Oliver Hunt <[email protected]>
GC sweep can occur before an object is completely initialised
https://bugs.webkit.org/show_bug.cgi?id=63836
Reviewed by Gavin Barraclough.
In rare cases it's possible for a GC sweep to occur while a
live, but not completely initialised object is on the stack.
In such a case we may incorrectly choose to mark it, even
though it has no children that need marking.
We resolve this by always zeroing out the structure of any
value returned from JSCell::operator new(), and making the
markstack tolerant of a null structure.
* runtime/JSCell.h:
(JSC::JSCell::JSCell::~JSCell):
(JSC::JSCell::JSCell::operator new):
* runtime/Structure.h:
(JSC::MarkStack::internalAppend):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (90272 => 90273)
--- trunk/Source/_javascript_Core/ChangeLog 2011-07-01 20:42:08 UTC (rev 90272)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-07-01 20:45:52 UTC (rev 90273)
@@ -1,3 +1,25 @@
+2011-07-01 Oliver Hunt <[email protected]>
+
+ GC sweep can occur before an object is completely initialised
+ https://bugs.webkit.org/show_bug.cgi?id=63836
+
+ Reviewed by Gavin Barraclough.
+
+ In rare cases it's possible for a GC sweep to occur while a
+ live, but not completely initialised object is on the stack.
+ In such a case we may incorrectly choose to mark it, even
+ though it has no children that need marking.
+
+ We resolve this by always zeroing out the structure of any
+ value returned from JSCell::operator new(), and making the
+ markstack tolerant of a null structure.
+
+ * runtime/JSCell.h:
+ (JSC::JSCell::JSCell::~JSCell):
+ (JSC::JSCell::JSCell::operator new):
+ * runtime/Structure.h:
+ (JSC::MarkStack::internalAppend):
+
2011-07-01 Filip Pizlo <[email protected]>
Reviewed by Gavin Barraclough.
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (90272 => 90273)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2011-07-01 20:42:08 UTC (rev 90272)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2011-07-01 20:45:52 UTC (rev 90273)
@@ -186,6 +186,9 @@
inline JSCell::~JSCell()
{
+#if ENABLE(GC_VALIDATION)
+ m_structure.clear();
+#endif
}
inline Structure* JSCell::structure() const
@@ -356,12 +359,16 @@
inline void* JSCell::operator new(size_t size, JSGlobalData* globalData)
{
- return globalData->heap.allocate(size);
+ JSCell* result = static_cast<JSCell*>(globalData->heap.allocate(size));
+ result->m_structure.clear();
+ return result;
}
inline void* JSCell::operator new(size_t size, ExecState* exec)
{
- return exec->heap()->allocate(size);
+ JSCell* result = static_cast<JSCell*>(exec->heap()->allocate(size));
+ result->m_structure.clear();
+ return result;
}
inline void destructor(JSCell* cell)
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (90272 => 90273)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2011-07-01 20:42:08 UTC (rev 90272)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2011-07-01 20:45:52 UTC (rev 90273)
@@ -302,7 +302,7 @@
ASSERT(cell);
if (Heap::testAndSetMarked(cell))
return;
- if (cell->structure()->typeInfo().type() >= CompoundType)
+ if (cell->structure() && cell->structure()->typeInfo().type() >= CompoundType)
m_values.append(cell);
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
