[webkit-changes] [231930] trunk/Source/JavaScriptCore

[sbarati]

Title: [231930] trunk/Source/_javascript_Core

Revision

231930

Author

sbar...@apple.com

Date

2018-05-17 16:20:31 -0700 (Thu, 17 May 2018)

Log Message

defaultConstructorSourceCode needs to makeSource every time it's called
https://bugs.webkit.org/show_bug.cgi?id=185753

Rubber-stamped by Mark Lam.

The bug here is multiple VMs can be running concurrently to one another
in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
if we copy a static SourceCode. instead, we create a new one each time
this function is called.

* builtins/BuiltinExecutables.cpp:
(JSC::BuiltinExecutables::defaultConstructorSourceCode):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/builtins/BuiltinExecutables.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (231929 => 231930)

--- trunk/Source/_javascript_Core/ChangeLog	2018-05-17 23:03:50 UTC (rev 231929)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-05-17 23:20:31 UTC (rev 231930)
@@ -1,3 +1,18 @@
+2018-05-17  Saam Barati  <sbar...@apple.com>
+
+        defaultConstructorSourceCode needs to makeSource every time it's called
+        https://bugs.webkit.org/show_bug.cgi?id=185753
+
+        Rubber-stamped by Mark Lam.
+
+        The bug here is multiple VMs can be running concurrently to one another
+        in the same process. They may each ref/deref something that isn't ThreadSafeRefCounted
+        if we copy a static SourceCode. instead, we create a new one each time
+        this function is called.
+
+        * builtins/BuiltinExecutables.cpp:
+        (JSC::BuiltinExecutables::defaultConstructorSourceCode):
+
 2018-05-17  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Use AssemblyHelpers' type checking functions as much as possible

Modified: trunk/Source/_javascript_Core/builtins/BuiltinExecutables.cpp (231929 => 231930)

--- trunk/Source/_javascript_Core/builtins/BuiltinExecutables.cpp	2018-05-17 23:03:50 UTC (rev 231929)
+++ trunk/Source/_javascript_Core/builtins/BuiltinExecutables.cpp	2018-05-17 23:20:31 UTC (rev 231930)
@@ -49,21 +49,11 @@
         break;
     case ConstructorKind::Base: {
         static NeverDestroyed<const String> baseConstructorCode(MAKE_STATIC_STRING_IMPL("(function () { })"));
-        static LazyNeverDestroyed<SourceCode> result;
-        static std::once_flag onceFlag;
-        std::call_once(onceFlag, [&] {
-            result.construct(makeSource(baseConstructorCode, { }));
-        });
-        return result;
+        return makeSource(baseConstructorCode, { });
     }
     case ConstructorKind::Extends: {
         static NeverDestroyed<const String> derivedConstructorCode(MAKE_STATIC_STRING_IMPL("(function (...args) { super(...args); })"));
-        static LazyNeverDestroyed<SourceCode> result;
-        static std::once_flag onceFlag;
-        std::call_once(onceFlag, [&] {
-            result.construct(makeSource(derivedConstructorCode, { }));
-        });
-        return result;
+        return makeSource(derivedConstructorCode, { });
     }
     }
     RELEASE_ASSERT_NOT_REACHED();

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes