[Webkit-unassigned] [Bug 25416] New: Cached prototype accesses unsafely hoist property storage load above structure checks.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sun Apr 26 21:48:58 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=25416
Summary: Cached prototype accesses unsafely hoist property
storage load above structure checks.
Product: WebKit
Version: 528+ (Nightly build)
Platform: Macintosh
OS/Version: Mac OS X 10.5
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: barraclough at apple.com
We currently perform the load of the storage array prior to the structure
checks. This is expected to be safe since the value loaded is not used unless
the structure checks do all pass. However if the prototype object has changed,
and if there are no further references to the original prototype object OR to
any other objects within the same heap block, then the heap block may be freed,
and the memory may be unmapped. In the unlikely* event this should happen, the
access will result in a fault.
This can be fixed by simply not hoisting the memory access. This is not
expected to impact performance significantly. Whilst hoisting the load may
have helped in some cases, it will also have resulted in an unnecessary and
unused memory access being performed at other times.
[ * Ummm..... ]
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list