[webkit-changes] [217608] trunk/Source/JavaScriptCore

[keith_miller]

Title: [217608] trunk/Source/_javascript_Core

Revision

217608

Author

keith_mil...@apple.com

Date

2017-05-31 10:03:34 -0700 (Wed, 31 May 2017)

Log Message

Fix leak in PromiseDeferredTimer
https://bugs.webkit.org/show_bug.cgi?id=172755

Reviewed by JF Bastien.

We were not properly freeing the list of dependencies if we were already tracking the promise before.
This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
where we were already tracking the promise we append the provided dependency list to the existing list.
Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
contents.

* runtime/PromiseDeferredTimer.cpp:
(JSC::PromiseDeferredTimer::addPendingPromise):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/PromiseDeferredTimer.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (217607 => 217608)

--- trunk/Source/_javascript_Core/ChangeLog	2017-05-31 17:00:53 UTC (rev 217607)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-05-31 17:03:34 UTC (rev 217608)
@@ -1,3 +1,19 @@
+2017-05-31  Keith Miller  <keith_mil...@apple.com>
+
+        Fix leak in PromiseDeferredTimer
+        https://bugs.webkit.org/show_bug.cgi?id=172755
+
+        Reviewed by JF Bastien.
+
+        We were not properly freeing the list of dependencies if we were already tracking the promise before.
+        This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
+        where we were already tracking the promise we append the provided dependency list to the existing list.
+        Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
+        contents.
+
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+
 2017-05-30  Oleksandr Skachkov  <gskach...@gmail.com>
 
         Prevent async methods named 'function' in Object literal

Modified: trunk/Source/_javascript_Core/runtime/PromiseDeferredTimer.cpp (217607 => 217608)

--- trunk/Source/_javascript_Core/runtime/PromiseDeferredTimer.cpp	2017-05-31 17:00:53 UTC (rev 217607)
+++ trunk/Source/_javascript_Core/runtime/PromiseDeferredTimer.cpp	2017-05-31 17:03:34 UTC (rev 217608)
@@ -109,8 +109,10 @@
         dependencies.append(Strong<JSCell>(*m_vm, ticket));
         result.iterator->value = WTFMove(dependencies);
     } else {
+        // We need to make sure we move dependencies into a non-reference type so we actually destruct it.
+        Vector<Strong<JSCell>> deps = WTFMove(dependencies);
         dataLogLnIf(verbose, "Adding new dependencies for promise: ", RawPointer(ticket));
-        result.iterator->value.appendVector(dependencies);
+        result.iterator->value.appendVector(deps);
     }
 
 #ifndef NDEBUG

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes