[webkit-changes] [241280] trunk/Source/JavaScriptCore

[mark . lam]

Title: [241280] trunk/Source/_javascript_Core

Revision

241280

Author

mark....@apple.com

Date

2019-02-11 14:44:17 -0800 (Mon, 11 Feb 2019)

Log Message

Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
https://bugs.webkit.org/show_bug.cgi?id=194512
<rdar://problem/47975465>

Reviewed by Yusuke Suzuki.

* runtime/StructureIDTable.cpp:
(JSC::StructureIDTable::StructureIDTable):
(JSC::StructureIDTable::allocateID):
(JSC::StructureIDTable::deallocateID):
* runtime/StructureIDTable.h:

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/runtime/StructureIDTable.cpp
• trunk/Source/_javascript_Core/runtime/StructureIDTable.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (241279 => 241280)

--- trunk/Source/_javascript_Core/ChangeLog	2019-02-11 22:27:37 UTC (rev 241279)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-02-11 22:44:17 UTC (rev 241280)
@@ -1,3 +1,17 @@
+2019-02-11  Mark Lam  <mark....@apple.com>
+
+        Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
+        https://bugs.webkit.org/show_bug.cgi?id=194512
+        <rdar://problem/47975465>
+
+        Reviewed by Yusuke Suzuki.
+
+        * runtime/StructureIDTable.cpp:
+        (JSC::StructureIDTable::StructureIDTable):
+        (JSC::StructureIDTable::allocateID):
+        (JSC::StructureIDTable::deallocateID):
+        * runtime/StructureIDTable.h:
+
 2019-02-10  Mark Lam  <mark....@apple.com>
 
         Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor.

Modified: trunk/Source/_javascript_Core/runtime/StructureIDTable.cpp (241279 => 241280)

--- trunk/Source/_javascript_Core/runtime/StructureIDTable.cpp	2019-02-11 22:27:37 UTC (rev 241279)
+++ trunk/Source/_javascript_Core/runtime/StructureIDTable.cpp	2019-02-11 22:44:17 UTC (rev 241280)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -32,8 +32,7 @@
 namespace JSC {
 
 StructureIDTable::StructureIDTable()
-    : m_firstFreeOffset(0)
-    , m_table(makeUniqueArray<StructureOrOffset>(s_initialSize))
+    : m_table(makeUniqueArray<StructureOrOffset>(s_initialSize))
     , m_size(0)
     , m_capacity(s_initialSize)
 {
@@ -96,6 +95,9 @@
 
     StructureID result = m_firstFreeOffset;
     m_firstFreeOffset = table()[m_firstFreeOffset].offset;
+    if (!m_firstFreeOffset)
+        m_lastFreeOffset = 0;
+
     table()[result].structure = structure;
     ASSERT(!isNuked(result));
     return result;
@@ -110,8 +112,23 @@
 #if USE(JSVALUE64)
     ASSERT(structureID != s_unusedID);
     RELEASE_ASSERT(table()[structureID].structure == structure);
-    table()[structureID].offset = m_firstFreeOffset;
-    m_firstFreeOffset = structureID;
+
+    if (!m_firstFreeOffset) {
+        table()[structureID].offset = 0;
+        m_firstFreeOffset = structureID;
+        m_lastFreeOffset = structureID;
+        return;
+    }
+
+    bool insertAtHead = m_weakRandom.getUint32() & 1;
+    if (insertAtHead) {
+        table()[structureID].offset = m_firstFreeOffset;
+        m_firstFreeOffset = structureID;
+    } else {
+        table()[structureID].offset = 0;
+        table()[m_lastFreeOffset].offset = structureID;
+        m_lastFreeOffset = structureID;
+    }
 #else
     UNUSED_PARAM(structure);
     UNUSED_PARAM(structureID);

Modified: trunk/Source/_javascript_Core/runtime/StructureIDTable.h (241279 => 241280)

--- trunk/Source/_javascript_Core/runtime/StructureIDTable.h	2019-02-11 22:27:37 UTC (rev 241279)
+++ trunk/Source/_javascript_Core/runtime/StructureIDTable.h	2019-02-11 22:44:17 UTC (rev 241280)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -28,6 +28,7 @@
 #include "UnusedPointer.h"
 #include <wtf/UniqueArray.h>
 #include <wtf/Vector.h>
+#include <wtf/WeakRandom.h>
 
 namespace JSC {
 
@@ -110,12 +111,15 @@
 
     Vector<UniqueArray<StructureOrOffset>> m_oldTables;
 
-    uint32_t m_firstFreeOffset;
+    uint32_t m_firstFreeOffset { 0 };
+    uint32_t m_lastFreeOffset { 0 };
     UniqueArray<StructureOrOffset> m_table;
 
     size_t m_size;
     size_t m_capacity;
 
+    WeakRandom m_weakRandom;
+
 #if USE(JSVALUE64)
     static const StructureID s_unusedID = unusedPointer;
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes