Google Git
Sign in
webkit / WebKit / eac79cdcc9ecf6a3fdb6111fd6011cd7d885e8b3^! / . / Source / JavaScriptCore / ChangeLog
commiteac79cdcc9ecf6a3fdb6111fd6011cd7d885e8b3[log] [tgz]
authorleo.yang@torchmobile.com.cn <leo.yang@torchmobile.com.cn@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Jun 13 00:23:49 2012 +0000
committerleo.yang@torchmobile.com.cn <leo.yang@torchmobile.com.cn@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Wed Jun 13 00:23:49 2012 +0000
tree1d4565411dd2d82b1328949e8dab608c45f6f063
parentc339f9c11bc260322b050860cc531af5f02bad07 [diff] [blame]
Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
https://bugs.webkit.org/show_bug.cgi?id=87334

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Add a copy member function to JSC::HasTable. This function will copy all data
members except for *table* which contains thread specific data that prevents
up copying it. When you want to copy a JSC::HashTable that was constructed
on another thread you should call JSC::HashTable::copy().

* runtime/Lookup.h:
(JSC::HashTable::copy):
(HashTable):

Source/WebCore:

Adapt to JSC::HashTable::copy to avoid copy dynamic table member of a HashTable.
The dynamic table may be allocated on other thread and contains thread specific
identifiers. For example, a hash table of JSEntryArray was first initialized on a
worker thread, and then the user reloaded the page, another worker thread is
created due to reload, the dynamic allocated table in *staticTable* is specific
to the first worker thread which has died. If the user reload the page again,
the dynamic table will be freed and memory corruption will occur.

No functionalities changed, no new tests.

* bindings/js/DOMObjectHashTableMap.h:
(WebCore::DOMObjectHashTableMap::get):


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@120143 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index b04f2a5..04cac53 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,3 +1,19 @@
+2012-06-12  Leo Yang  <leo.yang@torchmobile.com.cn>
+
+        Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads
+        https://bugs.webkit.org/show_bug.cgi?id=87334
+
+        Reviewed by Geoffrey Garen.
+
+        Add a copy member function to JSC::HasTable. This function will copy all data
+        members except for *table* which contains thread specific data that prevents
+        up copying it. When you want to copy a JSC::HashTable that was constructed
+        on another thread you should call JSC::HashTable::copy().
+
+        * runtime/Lookup.h:
+        (JSC::HashTable::copy):
+        (HashTable):
+
 2012-06-12  Filip Pizlo  <fpizlo@apple.com>
 
         DFG should not ASSERT if you have a double use of a variable that is not revealed to be a double