Changeset 169740 in webkit for trunk/Source/JavaScriptCore/runtime/JSObject.cpp

Timestamp:

Jun 9, 2014, 8:01:42 PM (11 years ago)

Author:

[email protected]

Message:

Global HashTables contain references to atomic StringImpls
​https://bugs.webkit.org/show_bug.cgi?id=133661

Reviewed by Geoffrey Garen.

This was a long-standing bug revealed by bug 133558. The issue is that the global static HashTables
cache their set of keys as StringImpls that are associated with a particular VM. This is obviously
incompatible with using multiple VMs on multiple threads (e.g. when using workers). The fix is to
change the "keys" field of the static HashTables to be char instead of StringImpl.

• runtime/JSObject.cpp:

(JSC::getClassPropertyNames):

• runtime/Lookup.cpp:

(JSC::HashTable::createTable):
(JSC::HashTable::deleteTable):

• runtime/Lookup.h:

(JSC::HashTable::ConstIterator::key):
(JSC::HashTable::entry):

File:

• trunk/Source/JavaScriptCore/runtime/JSObject.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -87 +87 @@
         for (auto iter = table->begin(vm); iter != table->end(vm); ++iter) {
             if ((!(iter->attributes() & DontEnum) || (mode == IncludeDontEnumProperties)) && !((iter->attributes() & BuiltinOrFunction) && didReify))
-                propertyNames.add(iter.key());
+                propertyNames.add(Identifier(&vm, iter.key()));
         }
     }