[webkit-changes] [222398] trunk/Source/JavaScriptCore

Fri, 22 Sep 2017 12:18:57 -0700

Title: [222398] trunk/Source/_javascript_Core
Revision
222398
Author
[email protected]
Date
2017-09-22 12:18:33 -0700 (Fri, 22 Sep 2017)

Log Message

Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
https://bugs.webkit.org/show_bug.cgi?id=177368

Reviewed by Keith Miller.

* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (222397 => 222398)


--- trunk/Source/_javascript_Core/ChangeLog	2017-09-22 19:01:25 UTC (rev 222397)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-09-22 19:18:33 UTC (rev 222398)
@@ -1,3 +1,15 @@
+2017-09-22  Saam Barati  <[email protected]>
+
+        Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
+        https://bugs.webkit.org/show_bug.cgi?id=177368
+
+        Reviewed by Keith Miller.
+
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::visitChildren):
+
 2017-09-22  Yusuke Suzuki  <[email protected]>
 
         [DFG][FTL] Profile array vector length for array allocation

Modified: trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp (222397 => 222398)


--- trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp	2017-09-22 19:01:25 UTC (rev 222397)
+++ trunk/Source/_javascript_Core/runtime/ErrorInstance.cpp	2017-09-22 19:18:33 UTC (rev 222398)
@@ -115,7 +115,13 @@
     if (!message.isNull())
         putDirect(vm, vm.propertyNames->message, jsString(&vm, message), DontEnum);
 
-    m_stackTrace = getStackTrace(exec, vm, this, useCurrentFrame);
+    std::unique_ptr<Vector<StackFrame>> stackTrace = getStackTrace(exec, vm, this, useCurrentFrame);
+    {
+        auto locker = holdLock(*this);
+        m_stackTrace = WTFMove(stackTrace);
+    }
+    vm.heap.writeBarrier(this);
+
     if (m_stackTrace && !m_stackTrace->isEmpty() && hasSourceAppender()) {
         unsigned bytecodeOffset;
         CallFrame* callFrame;
@@ -202,7 +208,10 @@
         return;
     
     addErrorInfo(vm, m_stackTrace.get(), this);
-    m_stackTrace = nullptr;
+    {
+        auto locker = holdLock(*this);
+        m_stackTrace = nullptr;
+    }
     
     m_errorInfoMaterialized = true;
 }
@@ -222,9 +231,12 @@
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     Base::visitChildren(thisObject, visitor);
 
-    if (thisObject->m_stackTrace) {
-        for (StackFrame& frame : *thisObject->m_stackTrace)
-            frame.visitChildren(visitor);
+    {
+        auto locker = holdLock(*thisObject);
+        if (thisObject->m_stackTrace) {
+            for (StackFrame& frame : *thisObject->m_stackTrace)
+                frame.visitChildren(visitor);
+        }
     }
 }
 

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to