Bug 128857

Summary: [JSManagedValue value] needs to be protected by the API lock
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch mark.lam: review+

Mark Hahnenberg
Reported 2014-02-14 17:06:29 PST
It needs to be because on 32-bit systems we can allocate new JS objects, and allocation always needs to be protected by the lock. Additionally, there were a number of race conditions when loading the JSGlobalObject from the Weak<> field of the JSManagedValue in order to get the JSContext. The fix is to store a RefPtr<JSLock> in the JSManagedValue. The JSLock already stores a weak pointer to its corresponding VM, so this avoids a reference cycle. First we'll lock the JSLock, then check its VM pointer. If it's invalid, return nil. If it's valid, proceed as normal after initiating an APIEntryShim.
Attachments
Patch (4.35 KB, patch)
2014-02-14 17:13 PST, Mark Hahnenberg
mark.lam: review+
Mark Hahnenberg
Comment 1 2014-02-14 17:13:37 PST
Mark Lam
Comment 2 2014-02-14 17:19:40 PST
Comment on attachment 224266 [details] Patch r=me
Mark Hahnenberg
Comment 3 2014-02-14 17:22:48 PST
Note You need to log in before you can comment on or make changes to this bug.