167220 – Structure::pin() needs to be called while holding a lock

RESOLVED FIXED 167220

Structure::pin() needs to be called while holding a lock

https://bugs.webkit.org/show_bug.cgi?id=167220

Summary Structure::pin() needs to be called while holding a lock

Filip Pizlo

Reported 2017-01-19 16:50:08 PST

Otherwise the GC could blow away the table as we are pinning it.

Attachments
the patch (12.70 KB, patch) 2017-01-19 16:56 PST, Filip Pizlo	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2017-01-19 16:56:15 PST

Created attachment 299285 [details] the patch

Filip Pizlo

Comment 2 2017-01-19 17:00:23 PST

This fixes crashes with this signature: Termination Signal: Trace/BPT trap: 5 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000010d3b3df5 0x10c970000 + 10763765 1 com.apple.JavaScriptCore 0x000000010d3b49cb bool JSC::Structure::checkOffsetConsistency<JSC::Structure::materializePropertyTable(JSC::VM&, bool)::$_0>(JSC::PropertyTable*, JSC::Structure::materializePropertyTable(JSC::VM&, bool)::$_0 const&) const::'lambda'(char const*)::operator()(char const*) const + 1179 2 com.apple.JavaScriptCore 0x000000010d3afa2c JSC::Structure::materializePropertyTable(JSC::VM&, bool) + 1228 (StructureInlines.h:276) 3 com.apple.JavaScriptCore 0x000000010c97861a int JSC::Structure::add<JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 58 (Structure.h:688) 4 com.apple.JavaScriptCore 0x000000010cb33d07 JSC::JSObject::putDirectWithoutTransition(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) + 231 (PropertyOffset.h:108) 5 com.apple.JavaScriptCore 0x000000010d1133bf JSC::JSGlobalObject::init(JSC::VM&) + 15599 (WriteBarrier.h:108) 6 com.apple.JavaScriptCore 0x000000010d11a285 JSC::JSGlobalObject::finishCreation(JSC::VM&, JSC::JSObject*) + 149 (WriteBarrierInlines.h:53)

Radar WebKit Bug Importer

Comment 3 2017-01-19 17:05:23 PST

<rdar://problem/30108809>

Filip Pizlo

Comment 4 2017-01-19 18:40:20 PST

Landed in http://trac.webkit.org/changeset/210947

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2017-01-19 16:50 PST

Modified

2017-01-19 18:40 PST History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks