WebKit Bugzilla
Attachment 361709 Details for
Bug 194512
: Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-194512.patch (text/plain), 3.92 KB, created by
Mark Lam
on 2019-02-11 13:48:27 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2019-02-11 13:48:27 PST
Size:
3.92 KB
patch
obsolete
>Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 241276) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,17 @@ >+2019-02-11 Mark Lam <mark.lam@apple.com> >+ >+ Randomize insertion of deallocated StructureIDs into the StructureIDTable's free list. >+ https://bugs.webkit.org/show_bug.cgi?id=194512 >+ <rdar://problem/47975465> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * runtime/StructureIDTable.cpp: >+ (JSC::StructureIDTable::StructureIDTable): >+ (JSC::StructureIDTable::allocateID): >+ (JSC::StructureIDTable::deallocateID): >+ * runtime/StructureIDTable.h: >+ > 2019-02-10 Mark Lam <mark.lam@apple.com> > > Remove the RELEASE_ASSERT check for duplicate cases in the BinarySwitch constructor. >Index: Source/JavaScriptCore/runtime/StructureIDTable.cpp >=================================================================== >--- Source/JavaScriptCore/runtime/StructureIDTable.cpp (revision 241276) >+++ Source/JavaScriptCore/runtime/StructureIDTable.cpp (working copy) >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2013 Apple Inc. All rights reserved. >+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -32,8 +32,7 @@ > namespace JSC { > > StructureIDTable::StructureIDTable() >- : m_firstFreeOffset(0) >- , m_table(makeUniqueArray<StructureOrOffset>(s_initialSize)) >+ : m_table(makeUniqueArray<StructureOrOffset>(s_initialSize)) > , m_size(0) > , m_capacity(s_initialSize) > { >@@ -96,6 +95,9 @@ StructureID StructureIDTable::allocateID > > StructureID result = m_firstFreeOffset; > m_firstFreeOffset = table()[m_firstFreeOffset].offset; >+ if (!m_firstFreeOffset) >+ m_lastFreeOffset = 0; >+ > table()[result].structure = structure; > ASSERT(!isNuked(result)); > return result; >@@ -110,8 +112,23 @@ void StructureIDTable::deallocateID(Stru > #if USE(JSVALUE64) > ASSERT(structureID != s_unusedID); > RELEASE_ASSERT(table()[structureID].structure == structure); >- table()[structureID].offset = m_firstFreeOffset; >- m_firstFreeOffset = structureID; >+ >+ if (!m_firstFreeOffset) { >+ table()[structureID].offset = 0; >+ m_firstFreeOffset = structureID; >+ m_lastFreeOffset = structureID; >+ return; >+ } >+ >+ bool insertAtHead = m_weakRandom.getUint32() & 1; >+ if (insertAtHead) { >+ table()[structureID].offset = m_firstFreeOffset; >+ m_firstFreeOffset = structureID; >+ } else { >+ table()[structureID].offset = 0; >+ table()[m_lastFreeOffset].offset = structureID; >+ m_lastFreeOffset = structureID; >+ } > #else > UNUSED_PARAM(structure); > UNUSED_PARAM(structureID); >Index: Source/JavaScriptCore/runtime/StructureIDTable.h >=================================================================== >--- Source/JavaScriptCore/runtime/StructureIDTable.h (revision 241276) >+++ Source/JavaScriptCore/runtime/StructureIDTable.h (working copy) >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2013 Apple Inc. All rights reserved. >+ * Copyright (C) 2013-2019 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -28,6 +28,7 @@ > #include "UnusedPointer.h" > #include <wtf/UniqueArray.h> > #include <wtf/Vector.h> >+#include <wtf/WeakRandom.h> > > namespace JSC { > >@@ -110,12 +111,15 @@ private: > > Vector<UniqueArray<StructureOrOffset>> m_oldTables; > >- uint32_t m_firstFreeOffset; >+ uint32_t m_firstFreeOffset { 0 }; >+ uint32_t m_lastFreeOffset { 0 }; > UniqueArray<StructureOrOffset> m_table; > > size_t m_size; > size_t m_capacity; > >+ WeakRandom m_weakRandom; >+ > #if USE(JSVALUE64) > static const StructureID s_unusedID = unusedPointer; > #endif
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=361709">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
ysuzuki
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194512
: 361709