Title: [201193] branches/safari-602.1.32-branch/Source/_javascript_Core
- Revision
- 201193
- Author
- [email protected]
- Date
- 2016-05-19 15:41:06 -0700 (Thu, 19 May 2016)
Log Message
Merge r201180. rdar://problem/26129156
Modified Paths
Diff
Modified: branches/safari-602.1.32-branch/Source/_javascript_Core/ChangeLog (201192 => 201193)
--- branches/safari-602.1.32-branch/Source/_javascript_Core/ChangeLog 2016-05-19 22:27:17 UTC (rev 201192)
+++ branches/safari-602.1.32-branch/Source/_javascript_Core/ChangeLog 2016-05-19 22:41:06 UTC (rev 201193)
@@ -1,5 +1,34 @@
2016-05-19 Babak Shafiei <[email protected]>
+ Merge r201180. rdar://problem/26129156
+
+ 2016-05-19 Mark Lam <[email protected]>
+
+ Code that null checks the VM pointer before any use should ref the VM.
+ https://bugs.webkit.org/show_bug.cgi?id=157864
+
+ Reviewed by Filip Pizlo and Keith Miller.
+
+ JSLock::willReleaseLock() and HeapTimer::timerDidFire() need to reference the VM
+ through a RefPtr. Otherwise, there's no guarantee that the VM won't be deleted
+ after their null checks.
+
+ * bytecode/CodeBlock.h:
+ (JSC::CodeBlock::vm):
+ (JSC::CodeBlock::setVM): Deleted.
+ - Not used, and suggests that it can be changed during the lifetime of the
+ CodeBlock (which should not be).
+
+ * heap/HeapTimer.cpp:
+ (JSC::HeapTimer::timerDidFire):
+ * runtime/JSLock.cpp:
+ (JSC::JSLock::willReleaseLock):
+ - Store the VM pointer in a RefPtr first, and null check the RefPtr instead of
+ the raw VM pointer. This makes the null check a strong guarantee that the
+ VM pointer is valid while these functions are using it.
+
+2016-05-19 Babak Shafiei <[email protected]>
+
Merge r200651. rdar://problem/26188642
2016-05-10 Joseph Pecoraro <[email protected]>
Modified: branches/safari-602.1.32-branch/Source/_javascript_Core/bytecode/CodeBlock.h (201192 => 201193)
--- branches/safari-602.1.32-branch/Source/_javascript_Core/bytecode/CodeBlock.h 2016-05-19 22:27:17 UTC (rev 201192)
+++ branches/safari-602.1.32-branch/Source/_javascript_Core/bytecode/CodeBlock.h 2016-05-19 22:41:06 UTC (rev 201193)
@@ -339,8 +339,7 @@
ExecutableBase* ownerExecutable() const { return m_ownerExecutable.get(); }
ScriptExecutable* ownerScriptExecutable() const { return jsCast<ScriptExecutable*>(m_ownerExecutable.get()); }
- void setVM(VM* vm) { m_vm = vm; }
- VM* vm() { return m_vm; }
+ VM* vm() const { return m_vm; }
void setThisRegister(VirtualRegister thisRegister) { m_thisRegister = thisRegister; }
VirtualRegister thisRegister() const { return m_thisRegister; }
Modified: branches/safari-602.1.32-branch/Source/_javascript_Core/heap/HeapTimer.cpp (201192 => 201193)
--- branches/safari-602.1.32-branch/Source/_javascript_Core/heap/HeapTimer.cpp 2016-05-19 22:27:17 UTC (rev 201192)
+++ branches/safari-602.1.32-branch/Source/_javascript_Core/heap/HeapTimer.cpp 2016-05-19 22:41:06 UTC (rev 201193)
@@ -80,9 +80,9 @@
JSLock* apiLock = static_cast<JSLock*>(context);
apiLock->lock();
- VM* vm = apiLock->vm();
- // The VM has been destroyed, so we should just give up.
+ RefPtr<VM> vm = apiLock->vm();
if (!vm) {
+ // The VM has been destroyed, so we should just give up.
apiLock->unlock();
return;
}
@@ -98,7 +98,7 @@
RELEASE_ASSERT_NOT_REACHED();
{
- JSLockHolder locker(vm);
+ JSLockHolder locker(vm.get());
heapTimer->doWork();
}
Modified: branches/safari-602.1.32-branch/Source/_javascript_Core/runtime/JSLock.cpp (201192 => 201193)
--- branches/safari-602.1.32-branch/Source/_javascript_Core/runtime/JSLock.cpp 2016-05-19 22:27:17 UTC (rev 201192)
+++ branches/safari-602.1.32-branch/Source/_javascript_Core/runtime/JSLock.cpp 2016-05-19 22:41:06 UTC (rev 201193)
@@ -177,11 +177,12 @@
void JSLock::willReleaseLock()
{
- if (m_vm) {
- m_vm->drainMicrotasks();
+ RefPtr<VM> vm = m_vm;
+ if (vm) {
+ vm->drainMicrotasks();
- m_vm->heap.releaseDelayedReleasedObjects();
- m_vm->setStackPointerAtVMEntry(nullptr);
+ vm->heap.releaseDelayedReleasedObjects();
+ vm->setStackPointerAtVMEntry(nullptr);
}
if (m_entryAtomicStringTable) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
