Title: [246021] trunk/Source/_javascript_Core
- Revision
- 246021
- Author
- [email protected]
- Date
- 2019-06-02 05:25:15 -0700 (Sun, 02 Jun 2019)
Log Message
CachedMetadataTable::decode leaks empty tables
https://bugs.webkit.org/show_bug.cgi?id=198465
<rdar://problem/51307673>
Reviewed by Yusuke Suzuki.
CachedMetadataTable::decode creates the metadata and never calls finalize on it.
This leaks the underlying UnlinkedMetadataTable buffer when m_hasMetadata is false,
since the buffer would be freed in finalize instead of in the destructor.
* bytecode/UnlinkedMetadataTable.h:
(JSC::UnlinkedMetadataTable::empty):
* bytecode/UnlinkedMetadataTableInlines.h:
(JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
* runtime/CachedTypes.cpp:
(JSC::CachedMetadataTable::decode const):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (246020 => 246021)
--- trunk/Source/_javascript_Core/ChangeLog 2019-06-02 03:01:56 UTC (rev 246020)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-06-02 12:25:15 UTC (rev 246021)
@@ -1,3 +1,22 @@
+2019-06-02 Tadeu Zagallo <[email protected]>
+
+ CachedMetadataTable::decode leaks empty tables
+ https://bugs.webkit.org/show_bug.cgi?id=198465
+ <rdar://problem/51307673>
+
+ Reviewed by Yusuke Suzuki.
+
+ CachedMetadataTable::decode creates the metadata and never calls finalize on it.
+ This leaks the underlying UnlinkedMetadataTable buffer when m_hasMetadata is false,
+ since the buffer would be freed in finalize instead of in the destructor.
+
+ * bytecode/UnlinkedMetadataTable.h:
+ (JSC::UnlinkedMetadataTable::empty):
+ * bytecode/UnlinkedMetadataTableInlines.h:
+ (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
+ * runtime/CachedTypes.cpp:
+ (JSC::CachedMetadataTable::decode const):
+
2019-05-31 Yusuke Suzuki <[email protected]>
Unreviewed, fix setEntryAddressCommon register usage in LLInt ASM Windows 64
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.h (246020 => 246021)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.h 2019-06-02 03:01:56 UTC (rev 246020)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTable.h 2019-06-02 12:25:15 UTC (rev 246021)
@@ -61,8 +61,11 @@
}
private:
+ enum EmptyTag { Empty };
+
UnlinkedMetadataTable();
UnlinkedMetadataTable(bool is32Bit);
+ UnlinkedMetadataTable(EmptyTag);
static Ref<UnlinkedMetadataTable> create(bool is32Bit)
{
@@ -69,6 +72,11 @@
return adoptRef(*new UnlinkedMetadataTable(is32Bit));
}
+ static Ref<UnlinkedMetadataTable> empty()
+ {
+ return adoptRef(*new UnlinkedMetadataTable(Empty));
+ }
+
void unlink(MetadataTable&);
size_t sizeInBytes(MetadataTable&);
Modified: trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTableInlines.h (246020 => 246021)
--- trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTableInlines.h 2019-06-02 03:01:56 UTC (rev 246020)
+++ trunk/Source/_javascript_Core/bytecode/UnlinkedMetadataTableInlines.h 2019-06-02 12:25:15 UTC (rev 246021)
@@ -49,6 +49,15 @@
{
}
+ALWAYS_INLINE UnlinkedMetadataTable::UnlinkedMetadataTable(EmptyTag)
+ : m_hasMetadata(false)
+ , m_isFinalized(true)
+ , m_isLinked(false)
+ , m_is32Bit(false)
+ , m_rawBuffer(nullptr)
+{
+}
+
ALWAYS_INLINE UnlinkedMetadataTable::~UnlinkedMetadataTable()
{
ASSERT(!m_isLinked);
Modified: trunk/Source/_javascript_Core/runtime/CachedTypes.cpp (246020 => 246021)
--- trunk/Source/_javascript_Core/runtime/CachedTypes.cpp 2019-06-02 03:01:56 UTC (rev 246020)
+++ trunk/Source/_javascript_Core/runtime/CachedTypes.cpp 2019-06-02 12:25:15 UTC (rev 246021)
@@ -1360,6 +1360,9 @@
Ref<UnlinkedMetadataTable> decode(Decoder&) const
{
+ if (!m_hasMetadata)
+ return UnlinkedMetadataTable::empty();
+
Ref<UnlinkedMetadataTable> metadataTable = UnlinkedMetadataTable::create(m_is32Bit);
metadataTable->m_isFinalized = true;
metadataTable->m_isLinked = false;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
