[webkit-changes] [201180] trunk/Source/JavaScriptCore

[mark . lam]

Title: [201180] trunk/Source/_javascript_Core

Revision

201180

Author

mark....@apple.com

Date

2016-05-19 14:02:44 -0700 (Thu, 19 May 2016)

Log Message

Code that null checks the VM pointer before any use should ref the VM.
https://bugs.webkit.org/show_bug.cgi?id=157864

Reviewed by Filip Pizlo and Keith Miller.

JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
after their null checks.

* bytecode/CodeBlock.h:
(JSC::CodeBlock::vm):
(JSC::CodeBlock::setVM): Deleted.
- Not used, and suggests that it can be changed during the lifetime of the
  CodeBlock (which should not be).

* heap/HeapTimer.cpp:
(JSC::HeapTimer::timerDidFire):
* runtime/JSLock.cpp:
(JSC::JSLock::willReleaseLock):
- Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
  the raw VM pointer.  This makes the null check a strong guarantee that the
  VM pointer is valid while these functions are using it.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/CodeBlock.h
• trunk/Source/_javascript_Core/heap/HeapTimer.cpp
• trunk/Source/_javascript_Core/runtime/JSLock.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (201179 => 201180)

--- trunk/Source/_javascript_Core/ChangeLog	2016-05-19 20:40:54 UTC (rev 201179)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-05-19 21:02:44 UTC (rev 201180)
@@ -1,3 +1,28 @@
+2016-05-19  Mark Lam  <mark....@apple.com>
+
+        Code that null checks the VM pointer before any use should ref the VM.
+        https://bugs.webkit.org/show_bug.cgi?id=157864
+
+        Reviewed by Filip Pizlo and Keith Miller.
+
+        JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
+        through a RefPtr.  Otherwise, there's no guarantee that the VM won't be deleted
+        after their null checks.
+
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::vm):
+        (JSC::CodeBlock::setVM): Deleted.
+        - Not used, and suggests that it can be changed during the lifetime of the
+          CodeBlock (which should not be).
+
+        * heap/HeapTimer.cpp:
+        (JSC::HeapTimer::timerDidFire):
+        * runtime/JSLock.cpp:
+        (JSC::JSLock::willReleaseLock):
+        - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
+          the raw VM pointer.  This makes the null check a strong guarantee that the
+          VM pointer is valid while these functions are using it.
+
 2016-05-19  Saam barati  <sbar...@apple.com>
 
         arrow function lexical environment should reuse the same environment as the function's lexical environment where possible

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (201179 => 201180)

--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2016-05-19 20:40:54 UTC (rev 201179)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2016-05-19 21:02:44 UTC (rev 201180)
@@ -340,8 +340,7 @@
     ExecutableBase* ownerExecutable() const { return m_ownerExecutable.get(); }
     ScriptExecutable* ownerScriptExecutable() const { return jsCast<ScriptExecutable*>(m_ownerExecutable.get()); }
 
-    void setVM(VM* vm) { m_vm = vm; }
-    VM* vm() { return m_vm; }
+    VM* vm() const { return m_vm; }
 
     void setThisRegister(VirtualRegister thisRegister) { m_thisRegister = thisRegister; }
     VirtualRegister thisRegister() const { return m_thisRegister; }

Modified: trunk/Source/_javascript_Core/heap/HeapTimer.cpp (201179 => 201180)

--- trunk/Source/_javascript_Core/heap/HeapTimer.cpp	2016-05-19 20:40:54 UTC (rev 201179)
+++ trunk/Source/_javascript_Core/heap/HeapTimer.cpp	2016-05-19 21:02:44 UTC (rev 201180)
@@ -80,9 +80,9 @@
     JSLock* apiLock = static_cast<JSLock*>(context);
     apiLock->lock();
 
-    VM* vm = apiLock->vm();
-    // The VM has been destroyed, so we should just give up.
+    RefPtr<VM> vm = apiLock->vm();
     if (!vm) {
+        // The VM has been destroyed, so we should just give up.
         apiLock->unlock();
         return;
     }
@@ -98,7 +98,7 @@
         RELEASE_ASSERT_NOT_REACHED();
 
     {
-        JSLockHolder locker(vm);
+        JSLockHolder locker(vm.get());
         heapTimer->doWork();
     }
 

Modified: trunk/Source/_javascript_Core/runtime/JSLock.cpp (201179 => 201180)

--- trunk/Source/_javascript_Core/runtime/JSLock.cpp	2016-05-19 20:40:54 UTC (rev 201179)
+++ trunk/Source/_javascript_Core/runtime/JSLock.cpp	2016-05-19 21:02:44 UTC (rev 201180)
@@ -177,11 +177,12 @@
 
 void JSLock::willReleaseLock()
 {
-    if (m_vm) {
-        m_vm->drainMicrotasks();
+    RefPtr<VM> vm = m_vm;
+    if (vm) {
+        vm->drainMicrotasks();
 
-        m_vm->heap.releaseDelayedReleasedObjects();
-        m_vm->setStackPointerAtVMEntry(nullptr);
+        vm->heap.releaseDelayedReleasedObjects();
+        vm->setStackPointerAtVMEntry(nullptr);
     }
 
     if (m_entryAtomicStringTable) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes