Title: [199496] trunk/Source/_javascript_Core
- Revision
- 199496
- Author
- [email protected]
- Date
- 2016-04-13 09:10:13 -0700 (Wed, 13 Apr 2016)
Log Message
ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
https://bugs.webkit.org/show_bug.cgi?id=156532
Reviewed by Saam Barati and Filip Pizlo.
ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
the callee field of a log packet. However, ShadowChicken::visitChildren()
unconditionally visits the callee field of each packet as if they are real
objects. If visitChildren() encounters one of these markers in the log, we get a
crash.
This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
chicken when r199393 landed. r199393 introduced tail calls to a RegExp split
fast path, and the v8-regexp.js test exercised this fast path a lot. Throw in
some timely GCs, and we get a crash party.
The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
throwMarker.
Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
these markers so that ShadowChicken can continue to visit them. For now, I'm
going with the filter.
* interpreter/ShadowChicken.cpp:
(JSC::ShadowChicken::visitChildren):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (199495 => 199496)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-13 15:53:55 UTC (rev 199495)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-13 16:10:13 UTC (rev 199496)
@@ -1,3 +1,31 @@
+2016-04-13 Mark Lam <[email protected]>
+
+ ShadowChicken::visitChildren() should not visit tailMarkers and throwMarkers.
+ https://bugs.webkit.org/show_bug.cgi?id=156532
+
+ Reviewed by Saam Barati and Filip Pizlo.
+
+ ShadowChicken can store tailMarkers and throwMarkers in its log, specifically in
+ the callee field of a log packet. However, ShadowChicken::visitChildren()
+ unconditionally visits the callee field of each packet as if they are real
+ objects. If visitChildren() encounters one of these markers in the log, we get a
+ crash.
+
+ This crash was observed in the v8-v6/v8-regexp.js stress test running with shadow
+ chicken when r199393 landed. r199393 introduced tail calls to a RegExp split
+ fast path, and the v8-regexp.js test exercised this fast path a lot. Throw in
+ some timely GCs, and we get a crash party.
+
+ The fix is to have ShadowChicken::visitChildren() filter out the tailMarker and
+ throwMarker.
+
+ Alternatively, if perf is an issue, we can allocate 2 dedicated objects for
+ these markers so that ShadowChicken can continue to visit them. For now, I'm
+ going with the filter.
+
+ * interpreter/ShadowChicken.cpp:
+ (JSC::ShadowChicken::visitChildren):
+
2016-04-13 Yusuke Suzuki <[email protected]>
[ES6] Add @@toStringTag to GeneratorFunction
Modified: trunk/Source/_javascript_Core/interpreter/ShadowChicken.cpp (199495 => 199496)
--- trunk/Source/_javascript_Core/interpreter/ShadowChicken.cpp 2016-04-13 15:53:55 UTC (rev 199495)
+++ trunk/Source/_javascript_Core/interpreter/ShadowChicken.cpp 2016-04-13 16:10:13 UTC (rev 199496)
@@ -354,8 +354,11 @@
void ShadowChicken::visitChildren(SlotVisitor& visitor)
{
- for (unsigned i = m_logCursor - m_log; i--;)
- visitor.appendUnbarrieredReadOnlyPointer(m_log[i].callee);
+ for (unsigned i = m_logCursor - m_log; i--;) {
+ JSObject* callee = m_log[i].callee;
+ if (callee != Packet::tailMarker() && callee != Packet::throwMarker())
+ visitor.appendUnbarrieredReadOnlyPointer(callee);
+ }
for (Frame& frame : m_stack)
visitor.appendUnbarrieredReadOnlyPointer(frame.callee);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
