Bug 213593 - JSCell constructor needs to ensure that the passed in structure is still alive.
Summary: JSCell constructor needs to ensure that the passed in structure is still alive.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-06-25 00:52 PDT by Mark Lam
Modified: 2020-06-25 12:33 PDT (History)
7 users (show)

See Also:

Attachments
proposed patch. (3.96 KB, patch)
2020-06-25 01:14 PDT, Mark Lam 		ysuzuki: review+
Details | Formatted Diff | Diff
patch for landing. (5.25 KB, patch)
2020-06-25 12:14 PDT, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2020-06-25 00:52:13 PDT 
<rdar://problem/64597573>
Comment 1 Mark Lam 2020-06-25 01:14:25 PDT 
Created attachment 402722 [details]
proposed patch.
Comment 2 Yusuke Suzuki 2020-06-25 08:50:55 PDT 
Comment on attachment 402722 [details]
proposed patch.

r=me
Comment 3 Mark Lam 2020-06-25 12:03:26 PDT 
Offline, Keith and Yusuke questions why Clang would have precomputed Structure field values.  Turns out, Clang did not pre-compute the field values.  Instead, it pre-computed the address of structure->m_blob where all the field values are contained.  As a result, the structure pointer is no longer retained, and GC will not know to keep the structure alive.

The fix is still valid.  I'll update the comment to indicate that it is the address of structure->m_blob that is pre-computed.
Comment 4 Mark Lam 2020-06-25 12:14:51 PDT 
Created attachment 402787 [details]
patch for landing.
Comment 5 Mark Lam 2020-06-25 12:33:40 PDT 
Thanks for the review.  Landed in r263523: <http://trac.webkit.org/r263523>.