Bug 60672 - Protect JSC from WebCore executing JS during JS wrapper finalization
Summary: Protect JSC from WebCore executing JS during JS wrapper finalization
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Oliver Hunt
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-11 15:52 PDT by Oliver Hunt
Modified: 2011-05-11 18:31 PDT (History)
0 users

See Also:

Attachments
Patch (6.93 KB, patch)
2011-05-11 18:06 PDT, Oliver Hunt 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Hunt 2011-05-11 15:52:44 PDT 
Protect JSC from WebCore executing JS during JS wrapper finalization
Comment 1 Oliver Hunt 2011-05-11 18:06:29 PDT 
Created attachment 93228 [details]
Patch
Comment 2 Darin Adler 2011-05-11 18:12:36 PDT 
Comment on attachment 93228 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=93228&action=review

It’s clean to forbid this at the JavaScriptCore level, but we’d also like to change WebCore so it doesn’t have the kind of dangerous destructors that could lead to this kind of reentrancy.

> Source/JavaScriptCore/heap/Heap.h:83
> -        bool isBusy(); // true if an allocation or collection is in progress
> +        // true if an allocation or collection is in progress
> +        bool isBusy()
> +        {
> +            return m_operationInProgress != NoOperation;
> +        }

You could have put this inline at the end of the file. I often prefer that because I like the class definition to be as clean as possible.
Comment 3 Oliver Hunt 2011-05-11 18:31:31 PDT 
Committed r86300: <http://trac.webkit.org/changeset/86300>