[webkit-changes] [WebKit/WebKit] 9ce98e: [JSC] Ensure StructureStubInfoClearingWatchpoint d...
Dan Hecht
noreply at github.com
Tue Sep 10 19:20:31 PDT 2024
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 9ce98e026db34cb0c1acf073da731354b622a6f6
https://github.com/WebKit/WebKit/commit/9ce98e026db34cb0c1acf073da731354b622a6f6
Author: Dan Hecht <dan.hecht at apple.com>
Date: 2024-09-10 (Tue, 10 Sep 2024)
Changed paths:
M Source/JavaScriptCore/bytecode/CodeBlock.cpp
M Source/JavaScriptCore/bytecode/CodeBlock.h
M Source/JavaScriptCore/bytecode/CodeBlockInlines.h
M Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.cpp
M Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp
M Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp
M Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h
M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp
M Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h
M Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp
Log Message:
-----------
[JSC] Ensure StructureStubInfoClearingWatchpoint does not outlive its CodeBlock
https://bugs.webkit.org/show_bug.cgi?id=279384
rdar://122375587
Reviewed by Yusuke Suzuki.
StructureStubInfoClearingWatchpoint is kept alive by references from
both the CodeBlock and the Executable. If the CodeBlock is destructed
first and the Executable destruction is delayed, the watchpoint could
fire after the CodeBlock destruction and the JSCell:isLive() call for
the CodeBlock could try to walk a MarkedBlock that has already been
freed, leading to crashes.
Instead, proactively free the watchpoint when the CodeBlock is being
destructed.
Also add some debug-only code to help catch these sort of lifetime
issues involving CodeBlock and Watchpoint.
* Source/JavaScriptCore/bytecode/CodeBlock.cpp:
(JSC::CodeBlock::CodeBlock):
(JSC::CodeBlock::destroy):
(JSC::CodeBlock::findStubInfo):
(JSC::CodeBlock::resetBaselineJITData): Deleted.
* Source/JavaScriptCore/bytecode/CodeBlock.h:
* Source/JavaScriptCore/bytecode/CodeBlockInlines.h:
(JSC::CodeBlock::wasDestructed):
* Source/JavaScriptCore/bytecode/CodeBlockJettisoningWatchpoint.cpp:
(JSC::CodeBlockJettisoningWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/InlineCacheCompiler.cpp:
(JSC::InlineCacheHandler::aboutToDie):
* Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::~LLIntPrototypeLoadAdaptiveStructureWatchpoint):
(JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
* Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.cpp:
(JSC::StructureStubInfoClearingWatchpoint::~StructureStubInfoClearingWatchpoint):
(JSC::StructureStubInfoClearingWatchpoint::fireInternal):
* Source/JavaScriptCore/bytecode/StructureStubClearingWatchpoint.h:
* Source/JavaScriptCore/dfg/DFGAdaptiveStructureWatchpoint.cpp:
(JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
Canonical link: https://commits.webkit.org/283454@main
To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications
More information about the webkit-changes
mailing list