Title: [262392] trunk
- Revision
- 262392
- Author
- ysuz...@apple.com
- Date
- 2020-06-01 13:27:12 -0700 (Mon, 01 Jun 2020)
Log Message
[JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection
https://bugs.webkit.org/show_bug.cgi?id=212601
Reviewed by Saam Barati.
JSTests:
* stress/bigint-should-not-be-collected-while-creating.js: Added.
(foo.let.increment.10000n.bar):
(foo):
Source/_javascript_Core:
This is pretty rare case. But in some optimization level, JSBigInt::rightTrim could store |this| + offset pointer into the stack instead of |this|
and make conservative GC think that |this| JSBigInt is unreachable. We put ensureStillAliveHere(this) to ensure that this is alive.
* runtime/JSBigInt.cpp:
(JSC::JSBigInt::rightTrim):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (262391 => 262392)
--- trunk/JSTests/ChangeLog 2020-06-01 20:05:15 UTC (rev 262391)
+++ trunk/JSTests/ChangeLog 2020-06-01 20:27:12 UTC (rev 262392)
@@ -1,5 +1,16 @@
2020-06-01 Yusuke Suzuki <ysuz...@apple.com>
+ [JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection
+ https://bugs.webkit.org/show_bug.cgi?id=212601
+
+ Reviewed by Saam Barati.
+
+ * stress/bigint-should-not-be-collected-while-creating.js: Added.
+ (foo.let.increment.10000n.bar):
+ (foo):
+
+2020-06-01 Yusuke Suzuki <ysuz...@apple.com>
+
[JSC] JSValue::toThis should not throw exception
https://bugs.webkit.org/show_bug.cgi?id=212595
Added: trunk/JSTests/stress/bigint-should-not-be-collected-while-creating.js (0 => 262392)
--- trunk/JSTests/stress/bigint-should-not-be-collected-while-creating.js (rev 0)
+++ trunk/JSTests/stress/bigint-should-not-be-collected-while-creating.js 2020-06-01 20:27:12 UTC (rev 262392)
@@ -0,0 +1,17 @@
+//@ runDefault("--collectContinuously=1")
+function foo(a0) {
+ if (a0 == 0) {
+ return
+ }
+
+ let increment = 10000n
+
+ function bar() {
+ for (let i = 0n; i < 3000000000n; i = i + increment);
+ }
+
+ bar();
+}
+
+foo(0);
+foo(1);
Modified: trunk/Source/_javascript_Core/ChangeLog (262391 => 262392)
--- trunk/Source/_javascript_Core/ChangeLog 2020-06-01 20:05:15 UTC (rev 262391)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-06-01 20:27:12 UTC (rev 262392)
@@ -1,3 +1,16 @@
+2020-06-01 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection
+ https://bugs.webkit.org/show_bug.cgi?id=212601
+
+ Reviewed by Saam Barati.
+
+ This is pretty rare case. But in some optimization level, JSBigInt::rightTrim could store |this| + offset pointer into the stack instead of |this|
+ and make conservative GC think that |this| JSBigInt is unreachable. We put ensureStillAliveHere(this) to ensure that this is alive.
+
+ * runtime/JSBigInt.cpp:
+ (JSC::JSBigInt::rightTrim):
+
2020-06-01 Mark Lam <mark....@apple.com>
x86.rb's LabelReference.x86LoadOperand()'s address operand should be a pointer type.
Modified: trunk/Source/_javascript_Core/runtime/JSBigInt.cpp (262391 => 262392)
--- trunk/Source/_javascript_Core/runtime/JSBigInt.cpp 2020-06-01 20:05:15 UTC (rev 262391)
+++ trunk/Source/_javascript_Core/runtime/JSBigInt.cpp 2020-06-01 20:27:12 UTC (rev 262392)
@@ -2320,6 +2320,8 @@
trimmedBigInt->setSign(this->sign());
+ ensureStillAliveHere(this);
+
return trimmedBigInt;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
