WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
144067
SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
https://bugs.webkit.org/show_bug.cgi?id=144067
Summary
SparseArrayEntry's write barrier owner should be the SparseArrayValueMap.
Mark Lam
Reported
2015-04-22 12:38:04 PDT
Currently, there are a few places where the JSObject that owns the SparseArrayValueMap is designated as the owner of the SparseArrayEntry write barrier. This is a bug and can result in the GC collecting the SparseArrayEntry even though it is being referenced by the SparseArrayValueMap.
Attachments
the patch.
(5.54 KB, patch)
2015-04-22 13:16 PDT
,
Mark Lam
msaboff
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Mark Lam
Comment 1
2015-04-22 12:39:52 PDT
<
rdar://problem/20477499
>
Mark Lam
Comment 2
2015-04-22 13:16:23 PDT
Created
attachment 251362
[details]
the patch.
Mark Lam
Comment 3
2015-04-22 13:23:30 PDT
For the record, I made SparseArrayEntry privately inherit WriteBarrier<Unknown> and created differently named setter functions which wraps the WriteBarrier ones, and then did a build to let Clang tell me of every place where SparseArrayEntry::set() is used. That is how I know I've covered all explicit calls to SparseArrayEntry::set(). I also searched for "set(" in JSObject.h/cpp, JSArray.h/cpp, and SparseArrayValueMap.h/cpp, and audited them visually.
Michael Saboff
Comment 4
2015-04-22 13:41:04 PDT
Comment on
attachment 251362
[details]
the patch. r=me
Mark Lam
Comment 5
2015-04-22 13:47:28 PDT
Thanks for the review. Per Michael's offline suggestion, I added a comment to the new test to indicate that it should not crash if the bug is fixed. Landed in
r183128
: <
http://trac.webkit.org/r183128
>.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug