Skip to site navigation (Press enter)

[webkit-changes] [200068] trunk/Source

commit-queue Mon, 25 Apr 2016 20:22:47 -0700

Title: [200068] trunk/Source

Revision: 200068
Author: [email protected]
Date: 2016-04-25 20:22:07 -0700 (Mon, 25 Apr 2016)

Log Message

Heap corruption is detected when destructing JSGlobalObject
https://bugs.webkit.org/show_bug.cgi?id=156831


Patch by Fujii Hironori <[email protected]> on 2016-04-25
Reviewed by Mark Lam.

WebKit uses CRT static library on Windows.  Each copy of the CRT
library has its own heap manager, allocating memory in one CRT
library and passing the pointer across a DLL boundary to be freed
by a different copy of the CRT library is a potential cause for
heap corruption.

  Potential Errors Passing CRT Objects Across DLL Boundaries
  <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>

JSGlobalObject::createRareDataIfNeeded is inlined but
JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
_javascript_Core.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
the inlined constructor of JSGlobalObjectRareData.

Source/_javascript_Core:

Test: fast/dom/insertedIntoDocument-iframe.html

* runtime/JSGlobalObject.h:
Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.

Source/WTF:

* wtf/Lock.h: Add WTF_MAKE_FAST_ALLOCATED.

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSGlobalObject.h
trunk/Source/WTF/ChangeLog
trunk/Source/WTF/wtf/Lock.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (200067 => 200068)


--- trunk/Source/_javascript_Core/ChangeLog	2016-04-26 01:00:17 UTC (rev 200067)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-04-26 03:22:07 UTC (rev 200068)
@@ -1,3 +1,32 @@
+2016-04-25  Fujii Hironori  <[email protected]>
+
+        Heap corruption is detected when destructing JSGlobalObject
+        https://bugs.webkit.org/show_bug.cgi?id=156831
+
+        Reviewed by Mark Lam.
+
+        WebKit uses CRT static library on Windows.  Each copy of the CRT
+        library has its own heap manager, allocating memory in one CRT
+        library and passing the pointer across a DLL boundary to be freed
+        by a different copy of the CRT library is a potential cause for
+        heap corruption.
+
+          Potential Errors Passing CRT Objects Across DLL Boundaries
+          <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>
+
+        JSGlobalObject::createRareDataIfNeeded is inlined but
+        JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
+        allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
+        _javascript_Core.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
+        JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
+        also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
+        the inlined constructor of JSGlobalObjectRareData.
+
+        Test: fast/dom/insertedIntoDocument-iframe.html
+
+        * runtime/JSGlobalObject.h:
+        Add WTF_MAKE_FAST_ALLOCATED to JSGlobalObjectRareData.
+
 2016-04-25  Michael Saboff  <[email protected]>
 
         Crash using @tryGetById in DFG

Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (200067 => 200068)


--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h	2016-04-26 01:00:17 UTC (rev 200067)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h	2016-04-26 03:22:07 UTC (rev 200068)
@@ -184,6 +184,8 @@
     typedef HashMap<OpaqueJSClass*, std::unique_ptr<OpaqueJSClassContextData>> OpaqueJSClassDataMap;
 
     struct JSGlobalObjectRareData {
+        WTF_MAKE_FAST_ALLOCATED;
+    public:
         JSGlobalObjectRareData()
             : profileGroup(0)
         {

Modified: trunk/Source/WTF/ChangeLog (200067 => 200068)


--- trunk/Source/WTF/ChangeLog	2016-04-26 01:00:17 UTC (rev 200067)
+++ trunk/Source/WTF/ChangeLog	2016-04-26 03:22:07 UTC (rev 200068)
@@ -1,3 +1,29 @@
+2016-04-25  Fujii Hironori  <[email protected]>
+
+        Heap corruption is detected when destructing JSGlobalObject
+        https://bugs.webkit.org/show_bug.cgi?id=156831
+
+        Reviewed by Mark Lam.
+
+        WebKit uses CRT static library on Windows.  Each copy of the CRT
+        library has its own heap manager, allocating memory in one CRT
+        library and passing the pointer across a DLL boundary to be freed
+        by a different copy of the CRT library is a potential cause for
+        heap corruption.
+
+          Potential Errors Passing CRT Objects Across DLL Boundaries
+          <https://msdn.microsoft.com/en-us/library/ms235460(v=vs.140).aspx>
+
+        JSGlobalObject::createRareDataIfNeeded is inlined but
+        JSGlobalObject::~JSGlobalObject is not.  Then, the heap of
+        allocating JSGlobalObjectRareData is WebKit.dll, but deallocating
+        _javascript_Core.dll.  Adding WTF_MAKE_FAST_ALLOCATED to
+        JSGlobalObjectRareData ensures heap consistency of it.  WTF::Lock
+        also needs WTF_MAKE_FAST_ALLOCATED because it is allocated from
+        the inlined constructor of JSGlobalObjectRareData.
+
+        * wtf/Lock.h: Add WTF_MAKE_FAST_ALLOCATED.
+
 2016-04-21  Saam barati  <[email protected]>
 
         Lets do less locking of symbol tables in the BytecodeGenerator where we don't have race conditions

Modified: trunk/Source/WTF/wtf/Lock.h (200067 => 200068)


--- trunk/Source/WTF/wtf/Lock.h	2016-04-26 01:00:17 UTC (rev 200067)
+++ trunk/Source/WTF/wtf/Lock.h	2016-04-26 03:22:07 UTC (rev 200068)
@@ -113,6 +113,7 @@
 
 class Lock : public LockBase {
     WTF_MAKE_NONCOPYABLE(Lock);
+    WTF_MAKE_FAST_ALLOCATED;
 public:
     Lock()
     {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes