Bug 25416

Summary: Cached prototype accesses unsafely hoist property storage load above structure checks.
Product: WebKit Reporter: Gavin Barraclough <barraclough>
Component: JavaScriptCoreAssignee: Gavin Barraclough <barraclough>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
The patch sam: review+

Gavin Barraclough
Reported 2009-04-26 21:48:58 PDT
We currently perform the load of the storage array prior to the structure checks. This is expected to be safe since the value loaded is not used unless the structure checks do all pass. However if the prototype object has changed, and if there are no further references to the original prototype object OR to any other objects within the same heap block, then the heap block may be freed, and the memory may be unmapped. In the unlikely* event this should happen, the access will result in a fault. This can be fixed by simply not hoisting the memory access. This is not expected to impact performance significantly. Whilst hoisting the load may have helped in some cases, it will also have resulted in an unnecessary and unused memory access being performed at other times. [ * Ummm..... ]
Attachments
The patch (3.82 KB, patch)
2009-04-26 21:51 PDT, Gavin Barraclough
sam: review+
Gavin Barraclough
Comment 1 2009-04-26 21:51:40 PDT
Created attachment 29812 [details] The patch
Gavin Barraclough
Comment 2 2009-04-26 22:17:37 PDT
Sending JavaScriptCore/ChangeLog Sending JavaScriptCore/jit/JITPropertyAccess.cpp Transmitting file data .. Committed revision 42884.
Note You need to log in before you can comment on or make changes to this bug.