Bug 53271

Summary: Potentially Unsafe HashSet of RuntimeObject* in RootObject definition
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: WebCore JavaScriptAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, alex, eric, ggaren, kevin, ossy, rhodes.unci, webkit.review.bot
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Bug Depends on: 53287, 53418    
Bug Blocks:    
Attachments:
Description Flags
Patch to use WeakGCMap instead of HashSet in RootObject
none
Patch that addresses the test failures ggaren: review+

Michael Saboff
Reported 2011-01-27 17:15:27 PST
As part of investigating another defect, I came across the definition of HashSet<RuntimeObject*> m_runtimeObjects; in RootOBject definition. Since RuntimeObject's are GC'ed, there is the possibility that a RuntimeObject could be GC'ed but not removed from this HashSet. Although I haven't determined a case where this is actually happening, it makes sense to make a preventative fix.
Attachments
Patch to use WeakGCMap instead of HashSet in RootObject (4.63 KB, patch)
2011-01-27 18:05 PST, Michael Saboff 		no flags
DetailsFormatted DiffDiff
Patch that addresses the test failures (5.14 KB, patch)
2011-01-28 12:10 PST, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2011-01-27 18:05:47 PST
Created attachment 80391 [details] Patch to use WeakGCMap instead of HashSet in RootObject
Michael Saboff
Comment 2 2011-01-27 18:18:26 PST
Committed r76893: <http://trac.webkit.org/changeset/76893>
WebKit Review Bot
Comment 3 2011-01-27 20:27:06 PST
http://trac.webkit.org/changeset/76893 might have broken GTK Linux 64-bit Debug
Csaba Osztrogonác
Comment 4 2011-01-28 00:58:40 PST
It made 460 tests crash on Qt debug bot: http://webkit.sed.hu/buildbot/results/x86-32%20Linux%20Qt%20Debug/r76893%20%2812399%29/results.html ASSERTION FAILED: m_runtimeObjects.get(object) (../../../Source/WebCore/bridge/runtime_root.cpp:189 void JSC::Bindings::RootObject::removeRuntimeObject(JSC::Bindings::RuntimeObject*)) Segmentation fault
Csaba Osztrogonác
Comment 5 2011-01-28 00:59:06 PST
Comment on attachment 80391 [details] Patch to use WeakGCMap instead of HashSet in RootObject remove r+ from landed patch
Csaba Osztrogonác
Comment 6 2011-01-28 01:11:56 PST
It was rolled out: http://trac.webkit.org/changeset/76925
Geoffrey Garen
Comment 7 2011-01-28 10:11:08 PST
+ ASSERT(m_runtimeObjects.get(object)); I think this needs to be "ASSERT(m_runtimeObjects.uncheckedGet(object))". By the time removeRuntimeObject is called, object is unmarked, so get will return 0.
Michael Saboff
Comment 8 2011-01-28 12:10:51 PST
Created attachment 80478 [details] Patch that addresses the test failures Made the change suggested by Geoff and successfully ran all tests in debug mode.
Geoffrey Garen
Comment 9 2011-01-28 12:15:32 PST
Comment on attachment 80478 [details] Patch that addresses the test failures r=me
Michael Saboff
Comment 10 2011-01-28 12:21:33 PST
Committed r76969: <http://trac.webkit.org/changeset/76969>
Alejandro G. Castro
Comment 11 2011-01-31 04:12:54 PST
(In reply to comment #10) > Committed r76969: <http://trac.webkit.org/changeset/76969> Apparently this could be still causing issues at least in GTK and Leopard Intel Debug, first crash in the compilation after that commit: http://build.webkit.org/results/Leopard%20Intel%20Debug%20(Tests)/r76969%20(26725)/results.html In Gtk+ we have the same assertions but they are flaky: http://build.webkit.org/results/GTK%20Linux%2064-bit%20Debug/r77114%20(18774)/fast/frames/sandboxed-iframe-scripting-stderr.txt Unfourtunately I can not reproduce it locally in gtk+. I'm going to rollout until you have time to check it.
Michael Saboff
Comment 12 2011-01-31 14:42:42 PST
*** Bug 53376 has been marked as a duplicate of this bug. ***
Eric Seidel (no email)
Comment 13 2011-02-02 14:24:07 PST
I'm seeing crashes relating to this on the Snow Leopard Debug bot: http://build.webkit.org/results/SnowLeopard%20Intel%20Leaks/r77400%20(14522)/fast/events/tabindex-focus-blur-all-stderr.txt
Eric Seidel (no email)
Comment 14 2011-02-02 14:24:23 PST
SUCCESS: Build 14472 (r77164) was the first to show failures: set([u'fast/events/tabindex-focus-blur-all.html'])
Gavin Barraclough
Comment 15 2012-03-08 16:59:37 PST
*** Bug 53411 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.