Google Git
Sign in
webkit / WebKit / a88b5ac622a46365485fb66e6ec5ab28a3a45df5^! / . / Source / JavaScriptCore / runtime / JSArray.h
commita88b5ac622a46365485fb66e6ec5ab28a3a45df5[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jan 10 18:44:45 2017 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Jan 10 18:44:45 2017 +0000
treef24c6f981c56b3904f8cee5907b5eea921a00343
parent726186ab0ecdefdd19d8f2434c421038535c2bfb [diff] [blame]
JSArray has some object scanning races
https://bugs.webkit.org/show_bug.cgi?id=166874

Reviewed by Mark Lam.
        
This fixes two separate bugs, both of which I detected by running
array-splice-contiguous.js in extreme anger:
        
1) Some of the paths of shifting and unshifting were not grabbing the internal cell
   lock. This was causing the array storage scan to crash, even though it was well
   synchronized (the scan does hold the lock). The fix is just to hold the lock anywhere
   that memmoves the innards of the butterfly.
        
2) Out of line property scanning was synchronized using double collect snapshot. Array
   storage scanning was synchronized using locks. But what if array storage
   transformations messed up the out of line properties? It turns out that we actually
   need to hoist the array storage scanner's locking up into the double collect
   snapshot.
        
I don't know how to write a test that does any better of a job of catching this than
array-splice-contiguous.js.

* heap/DeferGC.h: Make DisallowGC usable even if NDEBUG.
* runtime/JSArray.cpp:
(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::visitButterflyImpl):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@210553 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/runtime/JSArray.h b/Source/JavaScriptCore/runtime/JSArray.h
index 0a57f4a..1631dd2 100644
--- a/Source/JavaScriptCore/runtime/JSArray.h
+++ b/Source/JavaScriptCore/runtime/JSArray.h

@@ -1,6 +1,6 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
- *  Copyright (C) 2003, 2007, 2008, 2009, 2012, 2015-2016 Apple Inc. All rights reserved.
+ *  Copyright (C) 2003-2017 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -177,7 +177,7 @@
 
     bool unshiftCountWithAnyIndexingType(ExecState*, unsigned startIndex, unsigned count);
     bool unshiftCountWithArrayStorage(ExecState*, unsigned startIndex, unsigned count, ArrayStorage*);
-    bool unshiftCountSlowCase(VM&, DeferGC&, bool, unsigned);
+    bool unshiftCountSlowCase(const AbstractLocker&, VM&, DeferGC&, bool, unsigned);
 
     bool setLengthWithArrayStorage(ExecState*, unsigned newLength, bool throwException, ArrayStorage*);
     void setLengthWritable(ExecState*, bool writable);