[webkit-reviews] review granted: [Bug 194031] [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed : [Attachment 361005] Patch
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Feb 3 21:38:45 PST 2019
Saam Barati <sbarati at apple.com> has granted Yusuke Suzuki <ysuzuki at apple.com>'s
request for review:
Bug 194031: [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed
before it is destructed, but order of destruction of JS heap cells are not
guaranteed
https://bugs.webkit.org/show_bug.cgi?id=194031
Attachment 361005: Patch
https://bugs.webkit.org/attachment.cgi?id=361005&action=review
--- Comment #8 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 361005
--> https://bugs.webkit.org/attachment.cgi?id=361005
Patch
View in context: https://bugs.webkit.org/attachment.cgi?id=361005&action=review
> Source/JavaScriptCore/bytecode/MetadataTable.cpp:62
> + Ref<UnlinkedMetadataTable> unlinkedMetadata =
WTFMove(linkingData().unlinkedMetadata);
> + linkingData().~LinkingData();
> + // Since UnlinkedMetadata::unlink frees the underlying memory of
MetadataTable.
> + // We need to destroy LinkingData before calling it.
> + unlinkedMetadata->unlink(*this);
This whole dance is really poorly abstracted. It's very weird that
UnlinkedMetadataTable frees the memory of MetadataTable. Logically, it would be
incorrect for somebody to add a field to MetadataTable that gets auto destroyed
since that'd mean the memory here is freed before the destructor runs.
More information about the webkit-reviews
mailing list