Title: [200839] releases/WebKitGTK/webkit-2.12/Source
- Revision
- 200839
- Author
- [email protected]
- Date
- 2016-05-13 04:36:41 -0700 (Fri, 13 May 2016)
Log Message
Merge r200068 - Heap corruption is detected when destructing JSGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=156831
Patch by Fujii Hironori <[email protected]> on 2016-04-25
Reviewed by Mark Lam.
WebKit uses CRT static library on Windows. Each copy of the CRT
library has its own heap manager, allocating memory in one CRT
library and passing the pointer across a DLL boundary to be freed
by a different copy of the CRT library is a potential cause for
heap corruption.
Potential Errors Passing CRT Objects Across DLL Boundaries
<https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>
JSGlobalObject::createRareDataIfNeeded is inlined but
JSGlobalObject::~JSGlobalObject is not. Then, the heap of
allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
_javascript_Core.dll. Adding WTF_MAKE_FAST_ALLOCATED to
JSGlobalObjectRareData ensures heap consistency of it. WTF::Lock
also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
the inlined constructor of JSGlobalObjectRareData.
Source/_javascript_Core:
Test: fast/dom/insertedIntoDocument-iframe.html
* runtime/JSGlobalObject.h:
Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.
Source/WTF:
* wtf/Lock.h: Add WTF_MAKE_FAST_ALLOCATED.
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (200838 => 200839)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog 2016-05-13 11:03:45 UTC (rev 200838)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog 2016-05-13 11:36:41 UTC (rev 200839)
@@ -1,3 +1,32 @@
+2016-04-25 Fujii Hironori <[email protected]>
+
+ Heap corruption is detected when destructing JSGlobalObject
+ https://bugs.webkit.org/show_bug.cgi?id=156831
+
+ Reviewed by Mark Lam.
+
+ WebKit uses CRT static library on Windows. Each copy of the CRT
+ library has its own heap manager, allocating memory in one CRT
+ library and passing the pointer across a DLL boundary to be freed
+ by a different copy of the CRT library is a potential cause for
+ heap corruption.
+
+ Potential Errors Passing CRT Objects Across DLL Boundaries
+ <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>
+
+ JSGlobalObject::createRareDataIfNeeded is inlined but
+ JSGlobalObject::~JSGlobalObject is not. Then, the heap of
+ allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
+ _javascript_Core.dll. Adding WTF_MAKE_FAST_ALLOCATED to
+ JSGlobalObjectRareData ensures heap consistency of it. WTF::Lock
+ also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
+ the inlined constructor of JSGlobalObjectRareData.
+
+ Test: fast/dom/insertedIntoDocument-iframe.html
+
+ * runtime/JSGlobalObject.h:
+ Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.
+
2016-04-27 Alberto Garcia <[email protected]>
[GTK] Fails to build randomly when generating LLIntDesiredOffsets.h
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/JSGlobalObject.h (200838 => 200839)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/JSGlobalObject.h 2016-05-13 11:03:45 UTC (rev 200838)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/runtime/JSGlobalObject.h 2016-05-13 11:36:41 UTC (rev 200839)
@@ -181,6 +181,8 @@
typedef HashMap<OpaqueJSClass*, std::unique_ptr<OpaqueJSClassContextData>> OpaqueJSClassDataMap;
struct JSGlobalObjectRareData {
+ WTF_MAKE_FAST_ALLOCATED;
+ public:
JSGlobalObjectRareData()
: profileGroup(0)
{
Modified: releases/WebKitGTK/webkit-2.12/Source/WTF/ChangeLog (200838 => 200839)
--- releases/WebKitGTK/webkit-2.12/Source/WTF/ChangeLog 2016-05-13 11:03:45 UTC (rev 200838)
+++ releases/WebKitGTK/webkit-2.12/Source/WTF/ChangeLog 2016-05-13 11:36:41 UTC (rev 200839)
@@ -1,3 +1,29 @@
+2016-04-25 Fujii Hironori <[email protected]>
+
+ Heap corruption is detected when destructing JSGlobalObject
+ https://bugs.webkit.org/show_bug.cgi?id=156831
+
+ Reviewed by Mark Lam.
+
+ WebKit uses CRT static library on Windows. Each copy of the CRT
+ library has its own heap manager, allocating memory in one CRT
+ library and passing the pointer across a DLL boundary to be freed
+ by a different copy of the CRT library is a potential cause for
+ heap corruption.
+
+ Potential Errors Passing CRT Objects Across DLL Boundaries
+ <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>
+
+ JSGlobalObject::createRareDataIfNeeded is inlined but
+ JSGlobalObject::~JSGlobalObject is not. Then, the heap of
+ allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
+ _javascript_Core.dll. Adding WTF_MAKE_FAST_ALLOCATED to
+ JSGlobalObjectRareData ensures heap consistency of it. WTF::Lock
+ also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
+ the inlined constructor of JSGlobalObjectRareData.
+
+ * wtf/Lock.h: Add WTF_MAKE_FAST_ALLOCATED.
+
2016-04-05 Simon Fraser <[email protected]>
Implement operator== and operator!= for Optional<>
Modified: releases/WebKitGTK/webkit-2.12/Source/WTF/wtf/Lock.h (200838 => 200839)
--- releases/WebKitGTK/webkit-2.12/Source/WTF/wtf/Lock.h 2016-05-13 11:03:45 UTC (rev 200838)
+++ releases/WebKitGTK/webkit-2.12/Source/WTF/wtf/Lock.h 2016-05-13 11:36:41 UTC (rev 200839)
@@ -113,6 +113,7 @@
class Lock : public LockBase {
WTF_MAKE_NONCOPYABLE(Lock);
+ WTF_MAKE_FAST_ALLOCATED;
public:
Lock()
{
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
