Bug 236277

Summary: [WebCore] JSValueInWrappedObject is not correct for concurrent GC
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: alecflett, beidson, eric.carlson, ews-watchlist, glenn, jer.noble, jsbell, philipj, saam, sergio, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=236278
https://bugs.webkit.org/show_bug.cgi?id=236279
Bug Depends on: 194806    
Bug Blocks:    
Attachments:
Description Flags
Patch
saam: review+
Patch saam: commit-queue-

Yusuke Suzuki
Reported 2022-02-07 19:12:53 PST
[WebCore] JSValueInWrappedObject is not correct for concurrent GC
Attachments
Patch (16.25 KB, patch)
2022-02-07 19:26 PST, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
Patch (16.95 KB, patch)
2022-02-07 21:49 PST, Yusuke Suzuki 		saam: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2022-02-07 19:26:11 PST
Created attachment 451196 [details] Patch
Yusuke Suzuki
Comment 2 2022-02-07 19:26:14 PST
<rdar://problem/88366849>
Saam Barati
Comment 3 2022-02-07 19:32:58 PST
Comment on attachment 451196 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=451196&action=review r=me > Source/WebCore/Modules/indexeddb/IDBRequest.cpp:506 > + // FIXME: This code is wrong: let's consider that these fields' access are reordered in the concurrent GC thread. > + // And we just scanned cleared m_resultWrapper and then, we missed scanning m_cursorWrapper with a new value. > + // Then we could make both collected. Whenever changing JSValueInWrappedObject fields, we should emit a write barrier > + // if we would like to keep them alive. can you file a bug for this and ping the relevant folks? > Source/WebCore/bindings/js/JSValueInWrappedObject.h:42 > + // Remove them once AudioBuffer's m_channelWrappers bug is fixed. add FIXME and bug link > Source/WebCore/bindings/js/JSValueInWrappedObject.h:54 > + // Remove this once IDBRequest semantic bug is fixed. ditto about FIXME and bug link
Yusuke Suzuki
Comment 4 2022-02-07 19:44:01 PST
Comment on attachment 451196 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=451196&action=review Thanks! >> Source/WebCore/Modules/indexeddb/IDBRequest.cpp:506 >> + // if we would like to keep them alive. > > can you file a bug for this and ping the relevant folks? Nice, filed. https://bugs.webkit.org/show_bug.cgi?id=236278 I will paste the above bugzilla URL here too. >> Source/WebCore/bindings/js/JSValueInWrappedObject.h:42 >> + // Remove them once AudioBuffer's m_channelWrappers bug is fixed. > > add FIXME and bug link Filed :) https://bugs.webkit.org/show_bug.cgi?id=236279 >> Source/WebCore/bindings/js/JSValueInWrappedObject.h:54 >> + // Remove this once IDBRequest semantic bug is fixed. > > ditto about FIXME and bug link Filed :)
Yusuke Suzuki
Comment 5 2022-02-07 21:49:28 PST
Created attachment 451209 [details] Patch
Yusuke Suzuki
Comment 6 2022-02-08 09:53:49 PST
Committed r289383 (?): <https://commits.webkit.org/r289383>
Note You need to log in before you can comment on or make changes to this bug.