[webkit-changes] [249915] trunk/Source/JavaScriptCore

Mon, 16 Sep 2019 13:49:45 -0700

Title: [249915] trunk/Source/_javascript_Core
Revision
249915
Author
tzaga...@apple.com
Date
2019-09-16 13:48:37 -0700 (Mon, 16 Sep 2019)

Log Message

SamplingProfiler should hold API lock before reporting results
https://bugs.webkit.org/show_bug.cgi?id=201829

Reviewed by Yusuke Suzuki.

Right now, the SamplingProfiler crashes in debug builds when trying
report results if it finds a JSFunction on the stack that doesn't have
RareData. It tries to allocate the function's rare data when we call
getOwnPropertySlot in order to get the function's name, but that fails
because we are not holding the VM's API lock. We fix it by just holding
the lock before reporting the results.

* runtime/SamplingProfiler.cpp:
(JSC::SamplingProfiler::reportDataToOptionFile):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (249914 => 249915)


--- trunk/Source/_javascript_Core/ChangeLog	2019-09-16 20:29:43 UTC (rev 249914)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-09-16 20:48:37 UTC (rev 249915)
@@ -1,3 +1,20 @@
+2019-09-16  Tadeu Zagallo  <tzaga...@apple.com>
+
+        SamplingProfiler should hold API lock before reporting results
+        https://bugs.webkit.org/show_bug.cgi?id=201829
+
+        Reviewed by Yusuke Suzuki.
+
+        Right now, the SamplingProfiler crashes in debug builds when trying
+        report results if it finds a JSFunction on the stack that doesn't have
+        RareData. It tries to allocate the function's rare data when we call
+        getOwnPropertySlot in order to get the function's name, but that fails
+        because we are not holding the VM's API lock. We fix it by just holding
+        the lock before reporting the results.
+
+        * runtime/SamplingProfiler.cpp:
+        (JSC::SamplingProfiler::reportDataToOptionFile):
+
 2019-09-16  David Kilzer  <ddkil...@apple.com>
 
         [JSC] REGRESSION (r248938): Leak of uint32_t arrays in testFastForwardCopy32()

Modified: trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp (249914 => 249915)


--- trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp	2019-09-16 20:29:43 UTC (rev 249914)
+++ trunk/Source/_javascript_Core/runtime/SamplingProfiler.cpp	2019-09-16 20:48:37 UTC (rev 249915)
@@ -1026,6 +1026,7 @@
 {
     if (m_needsReportAtExit) {
         m_needsReportAtExit = false;
+        JSLockHolder holder(m_vm);
         const char* path = Options::samplingProfilerPath();
         StringPrintStream pathOut;
         pathOut.print(path, "/");

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to