RESOLVED FIXED 213593
JSCell constructor needs to ensure that the passed in structure is still alive. 
https://bugs.webkit.org/show_bug.cgi?id=213593
Summary JSCell constructor needs to ensure that the passed in structure is still alive.
Mark Lam
Reported 2020-06-25 00:52:13 PDT
<rdar://problem/64597573>
Attachments
proposed patch. (3.96 KB, patch)
2020-06-25 01:14 PDT, Mark Lam 		ysuzuki: review+
DetailsFormatted DiffDiff
patch for landing. (5.25 KB, patch)
2020-06-25 12:14 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2020-06-25 01:14:25 PDT
Created attachment 402722 [details] proposed patch.
Yusuke Suzuki
Comment 2 2020-06-25 08:50:55 PDT
Comment on attachment 402722 [details] proposed patch. r=me
Mark Lam
Comment 3 2020-06-25 12:03:26 PDT
Offline, Keith and Yusuke questions why Clang would have precomputed Structure field values. Turns out, Clang did not pre-compute the field values. Instead, it pre-computed the address of structure->m_blob where all the field values are contained. As a result, the structure pointer is no longer retained, and GC will not know to keep the structure alive. The fix is still valid. I'll update the comment to indicate that it is the address of structure->m_blob that is pre-computed.
Mark Lam
Comment 4 2020-06-25 12:14:51 PDT
Created attachment 402787 [details] patch for landing.
Mark Lam
Comment 5 2020-06-25 12:33:40 PDT
Thanks for the review. Landed in r263523: <http://trac.webkit.org/r263523>.
Note You need to log in before you can comment on or make changes to this bug.