Bug 84648

Summary: Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray
Product: WebKit Reporter: Mark Hahnenberg <mhahnenberg>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, rafaelw
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Bencher results
none
Patch
none
Patch none

Mark Hahnenberg
Reported 2012-04-23 16:29:51 PDT
When emit_op_new_array successfully allocates a new JSArray but fails to allocate the corresponding ArrayStorage for it, it falls back to the out-of-line stub call to constructArray, which constructs and entirely new JSArray/ArrayStorage pair. This leaves us with a JSArray hanging around on the stack or in a register that did not go through its own constructor, thus giving it uninitialized memory in the two fields that are checked in JSArray::visitChildren. The fix for this is to detect when we have successfully allocated a JSArray but failed to allocate its backing store and to write zeros into the correct places in the object prior to abandoning it.
Attachments
Patch (2.99 KB, patch)
2012-04-23 20:19 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Bencher results (14.00 KB, text/plain)
2012-04-24 09:52 PDT, Mark Hahnenberg 		no flags
Details
Patch (8.18 KB, patch)
2012-04-24 11:18 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (28.66 KB, patch)
2012-05-10 10:04 PDT, Rafael Weinstein 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2012-04-23 20:19:29 PDT
Created attachment 138492 [details] Patch
Geoffrey Garen
Comment 2 2012-04-23 21:16:34 PDT
Comment on attachment 138492 [details] Patch (1) Regression test, please. (2) A better fix is to allocate the backing store first. That way, no special branching, and no zombie JSArray. (3) Please re-verify that this inlining is still a performance win. It's a bit odd to have an optimization only in the slow JIT.
Geoffrey Garen
Comment 3 2012-04-24 09:25:27 PDT
<rdar://problem/11309000>
Mark Hahnenberg
Comment 4 2012-04-24 09:52:49 PDT
Created attachment 138583 [details] Bencher results These are the benchmark results for ToT without the optimization (just a stub call like we used to do) compared to the optimization along with this particular fix. Looks like a small win. I think when we finish bug 79198 arrays will be in a much better state in general.
Mark Hahnenberg
Comment 5 2012-04-24 11:18:53 PDT
Created attachment 138605 [details] Patch
Geoffrey Garen
Comment 6 2012-04-24 12:32:50 PDT
Comment on attachment 138605 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=138605&action=review Boy, those perf numbers are whisper-thin. Still, the fix is good, so let's take it. > Source/JavaScriptCore/jit/JITInlineMethods.h:490 > + // Allocate the backing store for the array. We allocate the storage first > + // because it could fail and we have to take the slow path, which would leave > + // behind a zombie JSArray with inconsistent state, potentially causing a GC crash. Hard to understand a comment about a potentially bad alternate version of the code. I would just say, "We allocate the backing store first to ensure that garbage collection doesn't happen during JSArray initialization".
Mark Hahnenberg
Comment 7 2012-04-24 12:44:42 PDT
Fixed in http://trac.webkit.org/changeset/115096.
Rafael Weinstein
Comment 8 2012-05-10 10:04:31 PDT
Reopening to attach new patch.
Rafael Weinstein
Comment 9 2012-05-10 10:04:33 PDT
Created attachment 141188 [details] Patch
Mark Hahnenberg
Comment 10 2012-05-10 10:08:56 PDT
(In reply to comment #8) > Reopening to attach new patch. I don't think this is the bug you meant to reopen.
Rafael Weinstein
Comment 11 2012-05-10 10:20:23 PDT
Sorry. No, it wasn't
Note You need to log in before you can comment on or make changes to this bug.