<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[279924] trunk/Source</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/279924">279924</a></dd>
<dt>Author</dt> <dd>mark.lam@apple.com</dd>
<dt>Date</dt> <dd>2021-07-14 15:10:35 -0700 (Wed, 14 Jul 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Speculative fix for failed scope.releaseAssertNoException() after calls to JSMap::create().
https://bugs.webkit.org/show_bug.cgi?id=227964
rdar://78013960

Reviewed by Yusuke Suzuki.

Source/JavaScriptCore:

There have been reports of flaky failures on the scope.releaseAssertNoException()
after the call to JSMap::create() in JSModuleLoader::finishCreation().

The scope.releaseAssertNoException() says that we don't expect the JSMap::create()
to ever throw an exception.  If the assertion is true, the only way that we can
see an exception there is if we're throwing an asynchronous TerminationException.

Since JSModuleLoader::finishCreation() does not have any long running loops, we can
just DeferTerminationForAWhile and let the next exception check site throw the
asynchronous TerminationException.  We don't want to just use DeferTermination
because it will throw the TerminationException right at the end of
JSModuleLoader::finishCreation(), and the caller of JSModuleLoader::finishCreation()
may be similarly not expecting an exception to be thrown there.

Also apply the same treatment to AbstractModuleRecord::finishCreation(), and
getBackingMap() in WebCore for the same reason.  Other than those, other sites that
call JSMap::create() already check for exceptions.  So, those sites do not need to
DeferTerminationForAWhile.

* runtime/AbstractModuleRecord.cpp:
(JSC::AbstractModuleRecord::finishCreation):
* runtime/JSModuleLoader.cpp:
(JSC::JSModuleLoader::finishCreation):

Source/WebCore:

* bindings/js/JSDOMMapLike.cpp:
(WebCore::getBackingMap):</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeAbstractModuleRecordcpp">trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeJSModuleLoadercpp">trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp</a></li>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorebindingsjsJSDOMMapLikecpp">trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (279923 => 279924)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog    2021-07-14 22:04:39 UTC (rev 279923)
+++ trunk/Source/JavaScriptCore/ChangeLog       2021-07-14 22:10:35 UTC (rev 279924)
</span><span class="lines">@@ -1,3 +1,35 @@
</span><ins>+2021-07-14  Mark Lam  <mark.lam@apple.com>
+
+        Speculative fix for failed scope.releaseAssertNoException() after calls to JSMap::create().
+        https://bugs.webkit.org/show_bug.cgi?id=227964
+        rdar://78013960
+
+        Reviewed by Yusuke Suzuki.
+
+        There have been reports of flaky failures on the scope.releaseAssertNoException()
+        after the call to JSMap::create() in JSModuleLoader::finishCreation().
+
+        The scope.releaseAssertNoException() says that we don't expect the JSMap::create()
+        to ever throw an exception.  If the assertion is true, the only way that we can
+        see an exception there is if we're throwing an asynchronous TerminationException.
+
+        Since JSModuleLoader::finishCreation() does not have any long running loops, we can
+        just DeferTerminationForAWhile and let the next exception check site throw the
+        asynchronous TerminationException.  We don't want to just use DeferTermination
+        because it will throw the TerminationException right at the end of
+        JSModuleLoader::finishCreation(), and the caller of JSModuleLoader::finishCreation()
+        may be similarly not expecting an exception to be thrown there.
+
+        Also apply the same treatment to AbstractModuleRecord::finishCreation(), and
+        getBackingMap() in WebCore for the same reason.  Other than those, other sites that
+        call JSMap::create() already check for exceptions.  So, those sites do not need to
+        DeferTerminationForAWhile.
+
+        * runtime/AbstractModuleRecord.cpp:
+        (JSC::AbstractModuleRecord::finishCreation):
+        * runtime/JSModuleLoader.cpp:
+        (JSC::JSModuleLoader::finishCreation):
+
</ins><span class="cx"> 2021-07-14  Keith Miller  <keith_miller@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Convert small JIT pool tests into executable fuzzing
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeAbstractModuleRecordcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp (279923 => 279924)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp     2021-07-14 22:04:39 UTC (rev 279923)
+++ trunk/Source/JavaScriptCore/runtime/AbstractModuleRecord.cpp        2021-07-14 22:10:35 UTC (rev 279924)
</span><span class="lines">@@ -33,6 +33,7 @@
</span><span class="cx"> #include "JSModuleEnvironment.h"
</span><span class="cx"> #include "JSModuleNamespaceObject.h"
</span><span class="cx"> #include "JSModuleRecord.h"
</span><ins>+#include "VMTrapsInlines.h"
</ins><span class="cx"> #include "WebAssemblyModuleRecord.h"
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -50,8 +51,8 @@
</span><span class="cx"> 
</span><span class="cx"> void AbstractModuleRecord::finishCreation(JSGlobalObject* globalObject, VM& vm)
</span><span class="cx"> {
</span><del>-    DeferTermination deferScope(vm);
-    auto scope = DECLARE_THROW_SCOPE(vm);
</del><ins>+    DeferTerminationForAWhile deferScope(vm);
+    auto scope = DECLARE_CATCH_SCOPE(vm);
</ins><span class="cx"> 
</span><span class="cx">     Base::finishCreation(vm);
</span><span class="cx">     ASSERT(inherits(vm, info()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeJSModuleLoadercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp (279923 => 279924)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp   2021-07-14 22:04:39 UTC (rev 279923)
+++ trunk/Source/JavaScriptCore/runtime/JSModuleLoader.cpp      2021-07-14 22:10:35 UTC (rev 279924)
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx"> #include "ObjectConstructor.h"
</span><span class="cx"> #include "Parser.h"
</span><span class="cx"> #include "ParserError.h"
</span><ins>+#include "VMTrapsInlines.h"
</ins><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><span class="lines">@@ -98,6 +99,7 @@
</span><span class="cx"> 
</span><span class="cx"> void JSModuleLoader::finishCreation(JSGlobalObject* globalObject, VM& vm)
</span><span class="cx"> {
</span><ins>+    DeferTerminationForAWhile deferScope(vm);
</ins><span class="cx">     auto scope = DECLARE_CATCH_SCOPE(vm);
</span><span class="cx"> 
</span><span class="cx">     Base::finishCreation(vm);
</span></span></pre></div>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (279923 => 279924)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog   2021-07-14 22:04:39 UTC (rev 279923)
+++ trunk/Source/WebCore/ChangeLog      2021-07-14 22:10:35 UTC (rev 279924)
</span><span class="lines">@@ -1,3 +1,14 @@
</span><ins>+2021-07-14  Mark Lam  <mark.lam@apple.com>
+
+        Speculative fix for failed scope.releaseAssertNoException() after calls to JSMap::create().
+        https://bugs.webkit.org/show_bug.cgi?id=227964
+        rdar://78013960
+
+        Reviewed by Yusuke Suzuki.
+
+        * bindings/js/JSDOMMapLike.cpp:
+        (WebCore::getBackingMap):
+
</ins><span class="cx"> 2021-07-14  Jer Noble  <jer.noble@apple.com>
</span><span class="cx"> 
</span><span class="cx">         [Cocoa] Null-pointer deref in MediaKeySystemAccess::createMediaKeys()
</span></span></pre></div>
<a id="trunkSourceWebCorebindingsjsJSDOMMapLikecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp (279923 => 279924)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp        2021-07-14 22:04:39 UTC (rev 279923)
+++ trunk/Source/WebCore/bindings/js/JSDOMMapLike.cpp   2021-07-14 22:10:35 UTC (rev 279924)
</span><span class="lines">@@ -40,7 +40,7 @@
</span><span class="cx">     if (!backingMap.isUndefined())
</span><span class="cx">         return { false, *JSC::asObject(backingMap) };
</span><span class="cx"> 
</span><del>-    JSC::DeferTermination deferScope(vm);
</del><ins>+    JSC::DeferTerminationForAWhile deferScope(vm);
</ins><span class="cx">     auto scope = DECLARE_CATCH_SCOPE(vm);
</span><span class="cx"> 
</span><span class="cx">     backingMap = JSC::JSMap::create(&lexicalGlobalObject, vm, lexicalGlobalObject.mapStructure());
</span></span></pre>
</div>
</div>

</body>
</html>