WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
84648
Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray
https://bugs.webkit.org/show_bug.cgi?id=84648
Summary
Failure to allocate ArrayStorage in emit_op_new_array leads to poisonous JSArray
Mark Hahnenberg
Reported
2012-04-23 16:29:51 PDT
When emit_op_new_array successfully allocates a new JSArray but fails to allocate the corresponding ArrayStorage for it, it falls back to the out-of-line stub call to constructArray, which constructs and entirely new JSArray/ArrayStorage pair. This leaves us with a JSArray hanging around on the stack or in a register that did not go through its own constructor, thus giving it uninitialized memory in the two fields that are checked in JSArray::visitChildren. The fix for this is to detect when we have successfully allocated a JSArray but failed to allocate its backing store and to write zeros into the correct places in the object prior to abandoning it.
Attachments
Patch
(2.99 KB, patch)
2012-04-23 20:19 PDT
,
Mark Hahnenberg
no flags
Details
Formatted Diff
Diff
Bencher results
(14.00 KB, text/plain)
2012-04-24 09:52 PDT
,
Mark Hahnenberg
no flags
Details
Patch
(8.18 KB, patch)
2012-04-24 11:18 PDT
,
Mark Hahnenberg
no flags
Details
Formatted Diff
Diff
Patch
(28.66 KB, patch)
2012-05-10 10:04 PDT
,
Rafael Weinstein
no flags
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1
2012-04-23 20:19:29 PDT
Created
attachment 138492
[details]
Patch
Geoffrey Garen
Comment 2
2012-04-23 21:16:34 PDT
Comment on
attachment 138492
[details]
Patch (1) Regression test, please. (2) A better fix is to allocate the backing store first. That way, no special branching, and no zombie JSArray. (3) Please re-verify that this inlining is still a performance win. It's a bit odd to have an optimization only in the slow JIT.
Geoffrey Garen
Comment 3
2012-04-24 09:25:27 PDT
<
rdar://problem/11309000
>
Mark Hahnenberg
Comment 4
2012-04-24 09:52:49 PDT
Created
attachment 138583
[details]
Bencher results These are the benchmark results for ToT without the optimization (just a stub call like we used to do) compared to the optimization along with this particular fix. Looks like a small win. I think when we finish
bug 79198
arrays will be in a much better state in general.
Mark Hahnenberg
Comment 5
2012-04-24 11:18:53 PDT
Created
attachment 138605
[details]
Patch
Geoffrey Garen
Comment 6
2012-04-24 12:32:50 PDT
Comment on
attachment 138605
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=138605&action=review
Boy, those perf numbers are whisper-thin. Still, the fix is good, so let's take it.
> Source/JavaScriptCore/jit/JITInlineMethods.h:490 > + // Allocate the backing store for the array. We allocate the storage first > + // because it could fail and we have to take the slow path, which would leave > + // behind a zombie JSArray with inconsistent state, potentially causing a GC crash.
Hard to understand a comment about a potentially bad alternate version of the code. I would just say, "We allocate the backing store first to ensure that garbage collection doesn't happen during JSArray initialization".
Mark Hahnenberg
Comment 7
2012-04-24 12:44:42 PDT
Fixed in
http://trac.webkit.org/changeset/115096
.
Rafael Weinstein
Comment 8
2012-05-10 10:04:31 PDT
Reopening to attach new patch.
Rafael Weinstein
Comment 9
2012-05-10 10:04:33 PDT
Created
attachment 141188
[details]
Patch
Mark Hahnenberg
Comment 10
2012-05-10 10:08:56 PDT
(In reply to
comment #8
)
> Reopening to attach new patch.
I don't think this is the bug you meant to reopen.
Rafael Weinstein
Comment 11
2012-05-10 10:20:23 PDT
Sorry. No, it wasn't
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug