Changeset 262392 in webkit for trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

Timestamp:

Jun 1, 2020, 1:27:12 PM (5 years ago)

Author:

[email protected]

Message:

[JSC] JSBigInt::rightTrim can miss |this| pointer and leads to incorrect GC collection
​https://bugs.webkit.org/show_bug.cgi?id=212601

Reviewed by Saam Barati.

JSTests:

• stress/bigint-should-not-be-collected-while-creating.js: Added.

(foo.let.increment.10000n.bar):
(foo):

Source/JavaScriptCore:

This is pretty rare case. But in some optimization level, JSBigInt::rightTrim could store |this| + offset pointer into the stack instead of |this|
and make conservative GC think that |this| JSBigInt is unreachable. We put ensureStillAliveHere(this) to ensure that this is alive.

• runtime/JSBigInt.cpp:

(JSC::JSBigInt::rightTrim):

File:

• trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSBigInt.cpp

@@ -2321 +2321 @@
     trimmedBigInt->setSign(this->sign());
 
+    ensureStillAliveHere(this);
+
     return trimmedBigInt;
 }