Bug 128857

Summary: [JSManagedValue value] needs to be protected by the API lock
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch mark.lam: review+

Description Mark Hahnenberg 2014-02-14 17:06:29 PST
It needs to be because on 32-bit systems we can allocate new JS objects, and allocation always needs to be protected by the lock. Additionally, there were a number of race conditions when loading the JSGlobalObject from the Weak<> field of the JSManagedValue in order to get the JSContext.

The fix is to store a RefPtr<JSLock> in the JSManagedValue. The JSLock already stores a weak pointer to its corresponding VM, so this avoids a reference cycle. First we'll lock the JSLock, then check its VM pointer. If it's invalid, return nil. If it's valid, proceed as normal after initiating an APIEntryShim.
Comment 1 Mark Hahnenberg 2014-02-14 17:13:37 PST
Created attachment 224266 [details]
Patch
Comment 2 Mark Lam 2014-02-14 17:19:40 PST
Comment on attachment 224266 [details]
Patch

r=me
Comment 3 Mark Hahnenberg 2014-02-14 17:22:48 PST
Committed r164147: <http://trac.webkit.org/changeset/164147>