RESOLVED FIXED 128857
[JSManagedValue value] needs to be protected by the API lock 
https://bugs.webkit.org/show_bug.cgi?id=128857
Summary [JSManagedValue value] needs to be protected by the API lock
Mark Hahnenberg
Reported 2014-02-14 17:06:29 PST
It needs to be because on 32-bit systems we can allocate new JS objects, and allocation always needs to be protected by the lock. Additionally, there were a number of race conditions when loading the JSGlobalObject from the Weak<> field of the JSManagedValue in order to get the JSContext. The fix is to store a RefPtr<JSLock> in the JSManagedValue. The JSLock already stores a weak pointer to its corresponding VM, so this avoids a reference cycle. First we'll lock the JSLock, then check its VM pointer. If it's invalid, return nil. If it's valid, proceed as normal after initiating an APIEntryShim.
Attachments
Patch (4.35 KB, patch)
2014-02-14 17:13 PST, Mark Hahnenberg 		mark.lam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2014-02-14 17:13:37 PST
Created attachment 224266 [details] Patch
Mark Lam
Comment 2 2014-02-14 17:19:40 PST
Comment on attachment 224266 [details] Patch r=me
Mark Hahnenberg
Comment 3 2014-02-14 17:22:48 PST
Committed r164147: <http://trac.webkit.org/changeset/164147>
Note You need to log in before you can comment on or make changes to this bug.