Summary: | Replace JSArray destructor with finalizer | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Mark Hahnenberg <mhahnenberg> | ||||||
Component: | JavaScriptCore | Assignee: | Mark Hahnenberg <mhahnenberg> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | dglazkov, webkit.review.bot | ||||||
Priority: | P2 | ||||||||
Version: | 528+ (Nightly build) | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Mark Hahnenberg
2012-01-31 16:03:37 PST
Created attachment 124854 [details]
Patch
Comment on attachment 124854 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=124854&action=review > Source/JavaScriptCore/runtime/JSArray.cpp:314 > + if (!map) { > map = m_sparseValueMap = new SparseArrayValueMap; > + globalData.heap.addFinalizer(this, finalize); m_sparseValueMap can oscillate between null and non-null. In such a case, this code will register one finalizer for each oscillation, which will result in a double delete. Please write a test case for this condition. You can fix this by setting thisObject->m_sparseValueMap to 0 after deleting it, adding a comment that the finalizer can run more than once, or by never setting m_sparseValueMap to 0, even if it becomes empty. Created attachment 125001 [details]
Patch
Comment on attachment 125001 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=125001&action=review r=me > Source/JavaScriptCore/runtime/JSArray.cpp:203 > +void JSArray::finalize(JSCell* cell) Please add a comment here noting that this function can be called more than once, so a future developer doesn't add unsafe code. Comment on attachment 125001 [details] Patch Attachment 125001 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/11393541 New failing tests: fast/js/sparse-array.html Committed r106496: <http://trac.webkit.org/changeset/106496> |