Skip to site navigation (Press enter)

[webkit-changes] [272430] trunk/Source/JavaScriptCore

ysuzuki Fri, 05 Feb 2021 11:09:21 -0800

Title: [272430] trunk/Source/_javascript_Core

Revision: 272430
Author: [email protected]
Date: 2021-02-05 11:08:35 -0800 (Fri, 05 Feb 2021)

Log Message

Unreviewed, follow-up change after r272428
https://bugs.webkit.org/show_bug.cgi?id=221454


isPropertyNameExcluded can invoke GC etc. Structure::forEachProperty can miss PropertyTable and Structure
reference when it is highly optimized, so that it can crash if GC happens in the middle of Structure::forEachProperty.

1. Insert ensureStillAliveHere in Structure::forEachProperty to ensure liveness of PropertyTable
2. We should not perform side-effectful operation including GC in Structure::forEachProperty. So we moved isPropertyNameExcluded.

* runtime/StructureInlines.h:
(JSC::Structure::forEachProperty):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/StructureInlines.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (272429 => 272430)


--- trunk/Source/_javascript_Core/ChangeLog	2021-02-05 18:59:01 UTC (rev 272429)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-02-05 19:08:35 UTC (rev 272430)
@@ -1,5 +1,19 @@
 2021-02-05  Yusuke Suzuki  <[email protected]>
 
+        Unreviewed, follow-up change after r272428
+        https://bugs.webkit.org/show_bug.cgi?id=221454
+
+        isPropertyNameExcluded can invoke GC etc. Structure::forEachProperty can miss PropertyTable and Structure
+        reference when it is highly optimized, so that it can crash if GC happens in the middle of Structure::forEachProperty.
+
+        1. Insert ensureStillAliveHere in Structure::forEachProperty to ensure liveness of PropertyTable
+        2. We should not perform side-effectful operation including GC in Structure::forEachProperty. So we moved isPropertyNameExcluded.
+
+        * runtime/StructureInlines.h:
+        (JSC::Structure::forEachProperty):
+
+2021-02-05  Yusuke Suzuki  <[email protected]>
+
         [JSC] globalFuncCopyDataProperties should not perform GC-sensitive operation in the middle of Structure::forEachProperty
         https://bugs.webkit.org/show_bug.cgi?id=221454

Modified: trunk/Source/_javascript_Core/runtime/StructureInlines.h (272429 => 272430)


--- trunk/Source/_javascript_Core/runtime/StructureInlines.h	2021-02-05 18:59:01 UTC (rev 272429)
+++ trunk/Source/_javascript_Core/runtime/StructureInlines.h	2021-02-05 19:08:35 UTC (rev 272430)
@@ -216,6 +216,7 @@
             if (!functor(entry))
                 return;
         }
+        ensureStillAliveHere(table);
     }
 }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes