Bug 128857 - [JSManagedValue value] needs to be protected by the API lock
Summary: [JSManagedValue value] needs to be protected by the API lock
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Hahnenberg
Depends on:
Reported: 2014-02-14 17:06 PST by Mark Hahnenberg
Modified: 2014-02-14 17:22 PST (History)
0 users

See Also:

Patch (4.35 KB, patch)
2014-02-14 17:13 PST, Mark Hahnenberg
mark.lam: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Hahnenberg 2014-02-14 17:06:29 PST
It needs to be because on 32-bit systems we can allocate new JS objects, and allocation always needs to be protected by the lock. Additionally, there were a number of race conditions when loading the JSGlobalObject from the Weak<> field of the JSManagedValue in order to get the JSContext.

The fix is to store a RefPtr<JSLock> in the JSManagedValue. The JSLock already stores a weak pointer to its corresponding VM, so this avoids a reference cycle. First we'll lock the JSLock, then check its VM pointer. If it's invalid, return nil. If it's valid, proceed as normal after initiating an APIEntryShim.
Comment 1 Mark Hahnenberg 2014-02-14 17:13:37 PST
Created attachment 224266 [details]
Comment 2 Mark Lam 2014-02-14 17:19:40 PST
Comment on attachment 224266 [details]

Comment 3 Mark Hahnenberg 2014-02-14 17:22:48 PST
Committed r164147: <http://trac.webkit.org/changeset/164147>