Bug 194031

Summary: [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 193993    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
saam: review+, ews-watchlist: commit-queue-
Archive of layout-test-results from ews125 for ios-simulator-wk2 none

Yusuke Suzuki
Reported 2019-01-30 10:56:49 PST
If your UnlinkedCodeBlock is destructed before linked CodeBlock is destructed, we have a bad time.
Attachments
Patch (13.23 KB, patch)
2019-02-03 02:19 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (13.30 KB, patch)
2019-02-03 02:23 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (12.51 KB, patch)
2019-02-03 02:34 PST, Yusuke Suzuki 		saam: review+
ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews125 for ios-simulator-wk2 (2.47 MB, application/zip)
2019-02-03 04:32 PST, EWS Watchlist 		no flags
Details
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2019-02-03 02:19:50 PST
Created attachment 361003 [details] Patch
Yusuke Suzuki
Comment 2 2019-02-03 02:23:02 PST
Created attachment 361004 [details] Patch
Yusuke Suzuki
Comment 3 2019-02-03 02:30:34 PST
Comment on attachment 361004 [details] Patch I'll do a bit more cleanup.
Yusuke Suzuki
Comment 4 2019-02-03 02:34:49 PST
Created attachment 361005 [details] Patch
EWS Watchlist
Comment 5 2019-02-03 04:32:47 PST
Comment on attachment 361005 [details] Patch Attachment 361005 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: https://webkit-queues.webkit.org/results/11014368 New failing tests: imported/w3c/web-platform-tests/webrtc/simplecall.https.html
EWS Watchlist
Comment 6 2019-02-03 04:32:48 PST
Created attachment 361009 [details] Archive of layout-test-results from ews125 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews125 Port: ios-simulator-wk2 Platform: Mac OS X 10.13.6
Yusuke Suzuki
Comment 7 2019-02-03 11:52:48 PST
(In reply to Build Bot from comment #5) > Comment on attachment 361005 [details] > Patch > > Attachment 361005 [details] did not pass ios-sim-ews (ios-simulator-wk2): > Output: https://webkit-queues.webkit.org/results/11014368 > > New failing tests: > imported/w3c/web-platform-tests/webrtc/simplecall.https.html I've checked the results and it seems unrelated to this patch. Just flaky.
Saam Barati
Comment 8 2019-02-03 21:38:45 PST
Comment on attachment 361005 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=361005&action=review > Source/JavaScriptCore/bytecode/MetadataTable.cpp:62 > + Ref<UnlinkedMetadataTable> unlinkedMetadata = WTFMove(linkingData().unlinkedMetadata); > + linkingData().~LinkingData(); > + // Since UnlinkedMetadata::unlink frees the underlying memory of MetadataTable. > + // We need to destroy LinkingData before calling it. > + unlinkedMetadata->unlink(*this); This whole dance is really poorly abstracted. It's very weird that UnlinkedMetadataTable frees the memory of MetadataTable. Logically, it would be incorrect for somebody to add a field to MetadataTable that gets auto destroyed since that'd mean the memory here is freed before the destructor runs.
Yusuke Suzuki
Comment 9 2019-02-03 22:13:21 PST
Comment on attachment 361005 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=361005&action=review >> Source/JavaScriptCore/bytecode/MetadataTable.cpp:62 >> + unlinkedMetadata->unlink(*this); > > This whole dance is really poorly abstracted. It's very weird that UnlinkedMetadataTable frees the memory of MetadataTable. Logically, it would be incorrect for somebody to add a field to MetadataTable that gets auto destroyed since that'd mean the memory here is freed before the destructor runs. The possible cleanup would be defining a static function MetadataTable::destroy and call it from deref(). void MetadataTable::destroy(MetadataTable& table) { Ref<UnlinkedMetadataTable> unlinkedMetadata = WTFMove(table.linkingData().unlinkedMetadata); table.~MetadataTable(); unlinkedMetadata->unlink(table}; } I would like to do that thing in a different patch since this solves another problem in MetadataTable.
Yusuke Suzuki
Comment 10 2019-02-03 23:13:04 PST
Committed r240915: <https://trac.webkit.org/changeset/240915>
Radar WebKit Bug Importer
Comment 11 2019-02-03 23:14:33 PST
<rdar://problem/47779358>
Note You need to log in before you can comment on or make changes to this bug.