Ignore:
Timestamp:
May 9, 2012, 4:56:05 PM (13 years ago)
Author:
[email protected]
Message:

GC race condition in OpaqueJSClass::prototype
https://bugs.webkit.org/show_bug.cgi?id=86034

Reviewed by Filip Pizlo.

The bug here is basically:

if (weakref) weakref->method()

where a GC may occur between the if & the method call.

  • API/JSClassRef.cpp:

(OpaqueJSClass::prototype):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/API/JSClassRef.cpp

    r115545 r116575  
    210210    OpaqueJSClassContextData& jsClassData = contextData(exec);
    211211
    212     if (!jsClassData.cachedPrototype) {
    213         // Recursive, but should be good enough for our purposes
    214         jsClassData.cachedPrototype = PassWeak<JSObject>(JSCallbackObject<JSNonFinalObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData), 0); // set jsClassData as the object's private data, so it can clear our reference on destruction
    215         if (parentClass) {
    216             if (JSObject* prototype = parentClass->prototype(exec))
    217                 jsClassData.cachedPrototype->setPrototype(exec->globalData(), prototype);
    218         }
    219     }
    220     return jsClassData.cachedPrototype.get();
    221 }
     212    if (JSObject* prototype = jsClassData.cachedPrototype.get())
     213        return prototype;
     214
     215    // Recursive, but should be good enough for our purposes
     216    prototype = JSCallbackObject<JSNonFinalObject>::create(exec, exec->lexicalGlobalObject(), exec->lexicalGlobalObject()->callbackObjectStructure(), prototypeClass, &jsClassData); // set jsClassData as the object's private data, so it can clear our reference on destruction
     217    if (parentClass) {
     218        if (JSObject* parentPrototype = parentClass->prototype(exec))
     219            prototype->setPrototype(exec->globalData(), parentPrototype);
     220    }
     221
     222    jsClassData.cachedPrototype = PassWeak<JSObject>(prototype, 0);
     223    return prototype;
     224}
Note: See TracChangeset for help on using the changeset viewer.