144067 2015-04-22 12:38:04 -0700 SparseArrayEntry's write barrier owner should be the SparseArrayValueMap. 2015-04-22 13:47:28 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 mark.lam mark.lam basile_clement benjamin fpizlo ggaren mhahnenb mmirman msaboff saam webkit-bug-importer oldest_to_newest 1087531 0 mark.lam 2015-04-22 12:38:04 -0700 Currently, there are a few places where the JSObject that owns the SparseArrayValueMap is designated as the owner of the SparseArrayEntry write barrier. This is a bug and can result in the GC collecting the SparseArrayEntry even though it is being referenced by the SparseArrayValueMap. 1087533 1 mark.lam 2015-04-22 12:39:52 -0700 <rdar://problem/20477499> 1087556 2 251362 mark.lam 2015-04-22 13:16:23 -0700 Created attachment 251362 the patch. 1087560 3 mark.lam 2015-04-22 13:23:30 -0700 For the record, I made SparseArrayEntry privately inherit WriteBarrier<Unknown> and created differently named setter functions which wraps the WriteBarrier ones, and then did a build to let Clang tell me of every place where SparseArrayEntry::set() is used. That is how I know I've covered all explicit calls to SparseArrayEntry::set(). I also searched for "set(" in JSObject.h/cpp, JSArray.h/cpp, and SparseArrayValueMap.h/cpp, and audited them visually. 1087566 4 251362 msaboff 2015-04-22 13:41:04 -0700 Comment on attachment 251362 the patch. r=me 1087573 5 mark.lam 2015-04-22 13:47:28 -0700 Thanks for the review. Per Michael's offline suggestion, I added a comment to the new test to indicate that it should not crash if the bug is fixed. Landed in r183128: <http://trac.webkit.org/r183128>. 251362 2015-04-22 13:16:23 -0700 2015-04-22 13:41:04 -0700 the patch. bug-144067.patch text/plain 5674 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTgzMTI0KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIzIEBA CisyMDE1LTA0LTIyICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBT cGFyc2VBcnJheUVudHJ5J3Mgd3JpdGUgYmFycmllciBvd25lciBzaG91bGQgYmUgdGhlIFNwYXJz ZUFycmF5VmFsdWVNYXAuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xNDQwNjcKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKwor ICAgICAgICBDdXJyZW50bHksIHRoZXJlIGFyZSBhIGZldyBwbGFjZXMgd2hlcmUgdGhlIEpTT2Jq ZWN0IHRoYXQgb3ducyB0aGUKKyAgICAgICAgU3BhcnNlQXJyYXlWYWx1ZU1hcCBpcyBkZXNpZ25h dGVkIGFzIHRoZSBvd25lciBvZiB0aGUgU3BhcnNlQXJyYXlFbnRyeQorICAgICAgICB3cml0ZSBi YXJyaWVyLiAgVGhpcyBpcyBhIGJ1ZyBhbmQgY2FuIHJlc3VsdCBpbiB0aGUgR0MgY29sbGVjdGlu ZyB0aGUKKyAgICAgICAgU3BhcnNlQXJyYXlFbnRyeSBldmVuIHRob3VnaCBpdCBpcyBiZWluZyBy ZWZlcmVuY2VkIGJ5IHRoZQorICAgICAgICBTcGFyc2VBcnJheVZhbHVlTWFwLiAgVGhpcyBwYXRj aCBmaXhlcyB0aGUgYnVnLgorCisgICAgICAgICogcnVudGltZS9KU09iamVjdC5jcHA6CisgICAg ICAgIChKU0M6OkpTT2JqZWN0OjplbnRlckRpY3Rpb25hcnlJbmRleGluZ01vZGVXaGVuQXJyYXlT dG9yYWdlQWxyZWFkeUV4aXN0cyk6CisgICAgICAgIChKU0M6OkpTT2JqZWN0OjpwdXRJbmRleGVk RGVzY3JpcHRvcik6CisgICAgICAgICogdGVzdHMvc3RyZXNzL3NwYXJzZS1hcnJheS1lbnRyeS11 cGRhdGUtMTQ0MDY3LmpzOiBBZGRlZC4KKyAgICAgICAgKHVzZU1lbW9yeVRvVHJpZ2dlckdDcyk6 CisgICAgICAgIChmb28pOgorCiAyMDE1LTA0LTIyICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxl LmNvbT4KIAogICAgICAgICBHaXZlIHRoZSBoZWFwIG9iamVjdCBpdGVyYXRvcnMgdGhlIGFiaWxp dHkgdG8gcmV0dXJuIGVhcmx5LgpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL3J1bnRpbWUv SlNPYmplY3QuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9ydW50aW1l L0pTT2JqZWN0LmNwcAkocmV2aXNpb24gMTgzMDc4KQorKysgU291cmNlL0phdmFTY3JpcHRDb3Jl L3J1bnRpbWUvSlNPYmplY3QuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC01ODQsNyArNTg0LDcgQEAg QXJyYXlTdG9yYWdlKiBKU09iamVjdDo6ZW50ZXJEaWN0aW9uYXJ5SQogICAgICAgICAvLyBUaGlz IHdpbGwgYWx3YXlzIGJlIGEgbmV3IGVudHJ5IGluIHRoZSBtYXAsIHNvIG5vIG5lZWQgdG8gY2hl Y2sgd2UgY2FuIHdyaXRlLAogICAgICAgICAvLyBhbmQgYXR0cmlidXRlcyBhcmUgZGVmYXVsdCBz byBubyBuZWVkIHRvIHNldCB0aGVtLgogICAgICAgICBpZiAodmFsdWUpCi0gICAgICAgICAgICBt YXAtPmFkZCh0aGlzLCBpKS5pdGVyYXRvci0+dmFsdWUuc2V0KHZtLCB0aGlzLCB2YWx1ZSk7Cisg ICAgICAgICAgICBtYXAtPmFkZCh0aGlzLCBpKS5pdGVyYXRvci0+dmFsdWUuc2V0KHZtLCBtYXAs IHZhbHVlKTsKICAgICB9CiAKICAgICBEZWZlckdDIGRlZmVyR0Modm0uaGVhcCk7CkBAIC0xNzE3 LDEyICsxNzE3LDEzIEBAIE5FVkVSX0lOTElORSB2b2lkIEpTT2JqZWN0OjpmaWxsR2V0dGVyUHIK IHZvaWQgSlNPYmplY3Q6OnB1dEluZGV4ZWREZXNjcmlwdG9yKEV4ZWNTdGF0ZSogZXhlYywgU3Bh cnNlQXJyYXlFbnRyeSogZW50cnlJbk1hcCwgY29uc3QgUHJvcGVydHlEZXNjcmlwdG9yJiBkZXNj cmlwdG9yLCBQcm9wZXJ0eURlc2NyaXB0b3ImIG9sZERlc2NyaXB0b3IpCiB7CiAgICAgVk0mIHZt ID0gZXhlYy0+dm0oKTsKKyAgICBhdXRvIG1hcCA9IG1fYnV0dGVyZmx5LT5hcnJheVN0b3JhZ2Uo KS0+bV9zcGFyc2VNYXAuZ2V0KCk7CiAKICAgICBpZiAoZGVzY3JpcHRvci5pc0RhdGFEZXNjcmlw dG9yKCkpIHsKICAgICAgICAgaWYgKGRlc2NyaXB0b3IudmFsdWUoKSkKLSAgICAgICAgICAgIGVu dHJ5SW5NYXAtPnNldCh2bSwgdGhpcywgZGVzY3JpcHRvci52YWx1ZSgpKTsKKyAgICAgICAgICAg IGVudHJ5SW5NYXAtPnNldCh2bSwgbWFwLCBkZXNjcmlwdG9yLnZhbHVlKCkpOwogICAgICAgICBl bHNlIGlmIChvbGREZXNjcmlwdG9yLmlzQWNjZXNzb3JEZXNjcmlwdG9yKCkpCi0gICAgICAgICAg ICBlbnRyeUluTWFwLT5zZXQodm0sIHRoaXMsIGpzVW5kZWZpbmVkKCkpOworICAgICAgICAgICAg ZW50cnlJbk1hcC0+c2V0KHZtLCBtYXAsIGpzVW5kZWZpbmVkKCkpOwogICAgICAgICBlbnRyeUlu TWFwLT5hdHRyaWJ1dGVzID0gZGVzY3JpcHRvci5hdHRyaWJ1dGVzT3ZlcnJpZGluZ0N1cnJlbnQo b2xkRGVzY3JpcHRvcikgJiB+QWNjZXNzb3I7CiAgICAgICAgIHJldHVybjsKICAgICB9CkBAIC0x NzQ1LDcgKzE3NDYsNyBAQCB2b2lkIEpTT2JqZWN0OjpwdXRJbmRleGVkRGVzY3JpcHRvcihFeGVj CiAgICAgICAgIGlmIChzZXR0ZXIpCiAgICAgICAgICAgICBhY2Nlc3Nvci0+c2V0U2V0dGVyKHZt LCBleGVjLT5sZXhpY2FsR2xvYmFsT2JqZWN0KCksIHNldHRlcik7CiAKLSAgICAgICAgZW50cnlJ bk1hcC0+c2V0KHZtLCB0aGlzLCBhY2Nlc3Nvcik7CisgICAgICAgIGVudHJ5SW5NYXAtPnNldCh2 bSwgbWFwLCBhY2Nlc3Nvcik7CiAgICAgICAgIGVudHJ5SW5NYXAtPmF0dHJpYnV0ZXMgPSBkZXNj cmlwdG9yLmF0dHJpYnV0ZXNPdmVycmlkaW5nQ3VycmVudChvbGREZXNjcmlwdG9yKSAmIH5SZWFk T25seTsKICAgICAgICAgcmV0dXJuOwogICAgIH0KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29y ZS90ZXN0cy9zdHJlc3Mvc3BhcnNlLWFycmF5LWVudHJ5LXVwZGF0ZS0xNDQwNjcuanMKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL3Rlc3RzL3N0cmVzcy9zcGFyc2UtYXJyYXkt ZW50cnktdXBkYXRlLTE0NDA2Ny5qcwkocmV2aXNpb24gMCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS90ZXN0cy9zdHJlc3Mvc3BhcnNlLWFycmF5LWVudHJ5LXVwZGF0ZS0xNDQwNjcuanMJKHdv cmtpbmcgY29weSkKQEAgLTAsMCArMSw1NSBAQAorLyoKKyAqIENvcHlyaWdodCAoQykgMjAxNSBB cHBsZSBJbmMuIEFsbCByaWdodHMgcmVzZXJ2ZWQuCisgKgorICogUmVkaXN0cmlidXRpb24gYW5k IHVzZSBpbiBzb3VyY2UgYW5kIGJpbmFyeSBmb3Jtcywgd2l0aCBvciB3aXRob3V0CisgKiBtb2Rp ZmljYXRpb24sIGFyZSBwZXJtaXR0ZWQgcHJvdmlkZWQgdGhhdCB0aGUgZm9sbG93aW5nIGNvbmRp dGlvbnMKKyAqIGFyZSBtZXQ6CisgKiAxLiBSZWRpc3RyaWJ1dGlvbnMgb2Ygc291cmNlIGNvZGUg bXVzdCByZXRhaW4gdGhlIGFib3ZlIGNvcHlyaWdodAorICogICAgbm90aWNlLCB0aGlzIGxpc3Qg b2YgY29uZGl0aW9ucyBhbmQgdGhlIGZvbGxvd2luZyBkaXNjbGFpbWVyLgorICogMi4gUmVkaXN0 cmlidXRpb25zIGluIGJpbmFyeSBmb3JtIG11c3QgcmVwcm9kdWNlIHRoZSBhYm92ZSBjb3B5cmln aHQKKyAqICAgIG5vdGljZSwgdGhpcyBsaXN0IG9mIGNvbmRpdGlvbnMgYW5kIHRoZSBmb2xsb3dp bmcgZGlzY2xhaW1lciBpbiB0aGUKKyAqICAgIGRvY3VtZW50YXRpb24gYW5kL29yIG90aGVyIG1h dGVyaWFscyBwcm92aWRlZCB3aXRoIHRoZSBkaXN0cmlidXRpb24uCisgKgorICogVEhJUyBTT0ZU V0FSRSBJUyBQUk9WSURFRCBCWSBBUFBMRSBJTkMuIGBgQVMgSVMnJyBBTkQgQU5ZCisgKiBFWFBS RVNTIE9SIElNUExJRUQgV0FSUkFOVElFUywgSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8s IFRIRQorICogSU1QTElFRCBXQVJSQU5USUVTIE9GIE1FUkNIQU5UQUJJTElUWSBBTkQgRklUTkVT UyBGT1IgQSBQQVJUSUNVTEFSCisgKiBQVVJQT1NFIEFSRSBESVNDTEFJTUVELiAgSU4gTk8gRVZF TlQgU0hBTEwgQVBQTEUgSU5DLiBPUgorICogQ09OVFJJQlVUT1JTIEJFIExJQUJMRSBGT1IgQU5Z IERJUkVDVCwgSU5ESVJFQ1QsIElOQ0lERU5UQUwsIFNQRUNJQUwsCisgKiBFWEVNUExBUlksIE9S IENPTlNFUVVFTlRJQUwgREFNQUdFUyAoSU5DTFVESU5HLCBCVVQgTk9UIExJTUlURUQgVE8sCisg KiBQUk9DVVJFTUVOVCBPRiBTVUJTVElUVVRFIEdPT0RTIE9SIFNFUlZJQ0VTOyBMT1NTIE9GIFVT RSwgREFUQSwgT1IKKyAqIFBST0ZJVFM7IE9SIEJVU0lORVNTIElOVEVSUlVQVElPTikgSE9XRVZF UiBDQVVTRUQgQU5EIE9OIEFOWSBUSEVPUlkKKyAqIE9GIExJQUJJTElUWSwgV0hFVEhFUiBJTiBD T05UUkFDVCwgU1RSSUNUIExJQUJJTElUWSwgT1IgVE9SVAorICogKElOQ0xVRElORyBORUdMSUdF TkNFIE9SIE9USEVSV0lTRSkgQVJJU0lORyBJTiBBTlkgV0FZIE9VVCBPRiBUSEUgVVNFCisgKiBP RiBUSElTIFNPRlRXQVJFLCBFVkVOIElGIEFEVklTRUQgT0YgVEhFIFBPU1NJQklMSVRZIE9GIFNV Q0ggREFNQUdFLiAKKyAqLworCisvLyBSZWdyZXNzaW9uIHRlc3QgZm9yIGh0dHBzOi8vYnVncy53 ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNDQwNjcuCisvLyBUaGlzIHRlc3QgYWltcyB0byBj b250aW51YWxseSBvdmVycmlkZSB0aGUgc2V0dGVyIGluIGEgc3BhcnNlIGFycmF5IG9iamVjdCwg YW5kCisvLyB0cmlnZ2VyIEdDcyB0byBnaXZlIGl0IGEgY2hhbmNlIHRvIGNvbGxlY3QgdGhlIG5l d2x5IHNldCBlbnRyeSB2YWx1ZS4gCisKK3ZhciBkYXRhID0ge307Cit2YXIgc3BhcnNlT2JqID0g e307CisKK2ZvciAodmFyIGkgPSAwOyBpIDwgNTsgaSsrKQorICAgIHNwYXJzZU9ialtpXSA9IGk7 CisKK2Z1bmN0aW9uIHVzZU1lbW9yeVRvVHJpZ2dlckdDcygpIHsKKyAgICB2YXIgYXJyID0gW107 CisgICAgdmFyIGxpbWl0ID0gREZHVHJ1ZSgpID8gMTAwMDAgOiAxMDA7CisgICAgZm9yICh2YXIg aSA9IDA7IGkgPCBsaW1pdDsgaSsrKQorICAgICAgICBhcnJbaV0gPSB7IGE6ICJ1c2luZyIgKyBp LCBiOiAidXAiICsgaSwgYzogIm1lbW9yeSIgKyBpIH07CisgICAgcmV0dXJuIGFycjsKK30KKwor ZnVuY3Rpb24gZm9vKHgpIHsKKyAgICBpZiAoIXgpCisgICAgICAgIHJldHVybjsKKyAgICBkYXRh LnRleHRDb250ZW50ID0gc3BhcnNlT2JqLl9fZGVmaW5lU2V0dGVyX18oIjE2Mzg0IiwgZm9vKTsK KyAgICBmb3IgKHZhciBpID0gMDsgaSA8IDEwOyBpKyspCisgICAgICAgIHNwYXJzZU9iai5fX2Rl ZmluZVNldHRlcl9fKCIiICsgKDE2Mzg0ICsgaSksIGZvbyk7CisgICAgdXNlTWVtb3J5VG9Ucmln Z2VyR0NzKCk7CisgICAgc3BhcnNlT2JqWzE2Mzg0XSA9IHggLSAxOworfQorCit2YXIgcmVjdXJz aW9uRGVwdGhOZWVkZWRUb1RyaWdnZXJUaGVGYWlsdXJlID0gMTAwOworZm9vKHJlY3Vyc2lvbkRl cHRoTmVlZGVkVG9UcmlnZ2VyVGhlRmFpbHVyZSk7Cg==