Title: [220175] trunk/Source/_javascript_Core
- Revision
- 220175
- Author
- [email protected]
- Date
- 2017-08-02 18:57:37 -0700 (Wed, 02 Aug 2017)
Log Message
Sweeping should only scribble when sweeping to free list
https://bugs.webkit.org/show_bug.cgi?id=175105
Reviewed by Saam Barati.
I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
when it doesn't matter anyway because we're building a free list.
This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
zap.
* heap/MarkedBlockInlines.h:
(JSC::MarkedBlock::Handle::specializedSweep):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (220174 => 220175)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-03 01:55:59 UTC (rev 220174)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-03 01:57:37 UTC (rev 220175)
@@ -1,5 +1,25 @@
2017-08-02 Filip Pizlo <[email protected]>
+ Sweeping should only scribble when sweeping to free list
+ https://bugs.webkit.org/show_bug.cgi?id=175105
+
+ Reviewed by Saam Barati.
+
+ I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
+ can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
+ zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
+ didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
+ path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
+ when it doesn't matter anyway because we're building a free list.
+
+ This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
+ zap.
+
+ * heap/MarkedBlockInlines.h:
+ (JSC::MarkedBlock::Handle::specializedSweep):
+
+2017-08-02 Filip Pizlo <[email protected]>
+
All C++ accesses to JSObject::m_butterfly should do caging
https://bugs.webkit.org/show_bug.cgi?id=175039
Modified: trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h (220174 => 220175)
--- trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h 2017-08-03 01:55:59 UTC (rev 220174)
+++ trunk/Source/_javascript_Core/heap/MarkedBlockInlines.h 2017-08-03 01:57:37 UTC (rev 220175)
@@ -201,10 +201,11 @@
for (char* cell = payloadBegin; cell < payloadEnd; cell += cellSize)
destroy(cell);
}
- if (scribbleMode == Scribble)
- scribble(payloadBegin, payloadEnd - payloadBegin);
- if (sweepMode == SweepToFreeList)
+ if (sweepMode == SweepToFreeList) {
+ if (scribbleMode == Scribble)
+ scribble(payloadBegin, payloadEnd - payloadBegin);
freeList->initializeBump(payloadEnd, payloadEnd - payloadBegin);
+ }
if (false)
dataLog("Quickly swept block ", RawPointer(this), " with cell size ", cellSize, " and attributes ", m_attributes, ": ", pointerDump(freeList), "\n");
return;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
