[webkit-reviews] review denied: [Bug 87334] Dynamic hash table in DOMObjectHashTableMap is wrong in multiple threads : [Attachment 143714] Patch v2
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 24 11:10:23 PDT 2012
Geoffrey Garen <ggaren at apple.com> has denied Leo Yang
<leo.yang at torchmobile.com.cn>'s request for review:
Bug 87334: Dynamic hash table in DOMObjectHashTableMap is wrong in multiple
threads
https://bugs.webkit.org/show_bug.cgi?id=87334
Attachment 143714: Patch v2
https://bugs.webkit.org/attachment.cgi?id=143714&action=review
------- Additional Comments from Geoffrey Garen <ggaren at apple.com>
View in context: https://bugs.webkit.org/attachment.cgi?id=143714&action=review
> Source/WebCore/bindings/js/DOMObjectHashTableMap.h:56
> + // Don't copy dynamic allocated table which may be allocated on
other thread and contains thread specific identifiers.
> + // For example, a JSEntryArray's hash map was first initialized on a
worker thread, and then the user reloaded
> + // the page, another worker thread is created due to reload, the
dynamic allocated table in *staticTable* is specific
> + // to the first worker thread which has died. If the user reload the
page again, the dynamic table will be freed
> + // and memory corruption will occur.
> + table->table = 0;
Is there any other code that copies a JSC::HashTable and needs this fix?
I'd prefer to see this logic in a JSC::HashTable copy constructor. That's the
best way to ensure that we get this idiom right in all uses of JSC::HashTable.
More information about the webkit-reviews
mailing list