Changeset 222398 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Sep 22, 2017, 12:18:33 PM (8 years ago)
Author:
[email protected]
Message:

Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
https://bugs.webkit.org/show_bug.cgi?id=177368

Reviewed by Keith Miller.

  • runtime/ErrorInstance.cpp:

(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r222384 r222398  
     12017-09-22  Saam Barati  <[email protected]>
     2
     3        Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
     4        https://bugs.webkit.org/show_bug.cgi?id=177368
     5
     6        Reviewed by Keith Miller.
     7
     8        * runtime/ErrorInstance.cpp:
     9        (JSC::ErrorInstance::finishCreation):
     10        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
     11        (JSC::ErrorInstance::visitChildren):
     12
    1132017-09-22  Yusuke Suzuki  <[email protected]>
    214

  • trunk/Source/JavaScriptCore/runtime/ErrorInstance.cpp

    r222186 r222398  
    116116        putDirect(vm, vm.propertyNames->message, jsString(&vm, message), DontEnum);
    117117
    118     m_stackTrace = getStackTrace(exec, vm, this, useCurrentFrame);
     118    std::unique_ptr<Vector<StackFrame>> stackTrace = getStackTrace(exec, vm, this, useCurrentFrame);
     119    {
     120        auto locker = holdLock(*this);
     121        m_stackTrace = WTFMove(stackTrace);
     122    }
     123    vm.heap.writeBarrier(this);
     124
    119125    if (m_stackTrace && !m_stackTrace->isEmpty() && hasSourceAppender()) {
    120126        unsigned bytecodeOffset;
     
    203209   
    204210    addErrorInfo(vm, m_stackTrace.get(), this);
    205     m_stackTrace = nullptr;
     211    {
     212        auto locker = holdLock(*this);
     213        m_stackTrace = nullptr;
     214    }
    206215   
    207216    m_errorInfoMaterialized = true;
     
    223232    Base::visitChildren(thisObject, visitor);
    224233
    225     if (thisObject->m_stackTrace) {
    226         for (StackFrame& frame : *thisObject->m_stackTrace)
    227             frame.visitChildren(visitor);
     234    {
     235        auto locker = holdLock(*thisObject);
     236        if (thisObject->m_stackTrace) {
     237            for (StackFrame& frame : *thisObject->m_stackTrace)
     238                frame.visitChildren(visitor);
     239        }
    228240    }
    229241}
Note: See TracChangeset for help on using the changeset viewer.