128857 – [JSManagedValue value] needs to be protected by the API lock

Bug 128857 - [JSManagedValue value] needs to be protected by the API lock

Summary: [JSManagedValue value] needs to be protected by the API lock

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-02-14 17:06 PST by Mark Hahnenberg
Modified:	2014-02-14 17:22 PST (History)
CC List:	0 users

See Also:

Attachments
Patch (4.35 KB, patch) 2014-02-14 17:13 PST, Mark Hahnenberg	mark.lam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2014-02-14 17:06:29 PST

It needs to be because on 32-bit systems we can allocate new JS objects, and allocation always needs to be protected by the lock. Additionally, there were a number of race conditions when loading the JSGlobalObject from the Weak<> field of the JSManagedValue in order to get the JSContext.

The fix is to store a RefPtr<JSLock> in the JSManagedValue. The JSLock already stores a weak pointer to its corresponding VM, so this avoids a reference cycle. First we'll lock the JSLock, then check its VM pointer. If it's invalid, return nil. If it's valid, proceed as normal after initiating an APIEntryShim.

Comment 1 Mark Hahnenberg 2014-02-14 17:13:37 PST

Created attachment 224266 [details]
Patch

Comment 2 Mark Lam 2014-02-14 17:19:40 PST

Comment on attachment 224266 [details]
Patch

r=me

Comment 3 Mark Hahnenberg 2014-02-14 17:22:48 PST

Committed r164147: <http://trac.webkit.org/changeset/164147>