Attachment 371137 Details for Bug 198465 – Patch

[patch] Patch

bug-198465-20190602073600.patch (text/plain), 3.46 KB, created by Tadeu Zagallo on 2019-06-01 22:36:01 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Tadeu Zagallo

Created: 2019-06-01 22:36:01 PDT

Size: 3.46 KB

patch

obsolete

>Subversion Revision: 246014
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 038e6d0a295721eda8d9c8a90627f07d1e5841e0..2cee497deae67c1ced6229782ca9e35ef615e642 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,22 @@
>+2019-06-01  Tadeu Zagallo  <tzagallo@apple.com>
>+
>+        CachedMetadataTable::decode leaks empty tables
>+        https://bugs.webkit.org/show_bug.cgi?id=198465
>+        <rdar://problem/51307673>
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        CachedMetadataTable::decode creates the metadata and never calls finalize on it.
>+        This leaks the underlying UnlinkedMetadataTable buffer when m_hasMetadata is false,
>+        since the buffer would be freed in finalize instead of in the destructor.
>+
>+        * bytecode/UnlinkedMetadataTable.h:
>+        (JSC::UnlinkedMetadataTable::empty):
>+        * bytecode/UnlinkedMetadataTableInlines.h:
>+        (JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
>+        * runtime/CachedTypes.cpp:
>+        (JSC::CachedMetadataTable::decode const):
>+
> 2019-05-31  Yusuke Suzuki  <ysuzuki@apple.com>
> 
>         Unreviewed, fix setEntryAddressCommon register usage in LLInt ASM Windows 64
>diff --git a/Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h b/Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h
>index 17f173fd4e7aaab104cf4e8ea3e59ab960711bb1..280a632ce529e4bcd06f7bf289db54b00a0e0ded 100644
>--- a/Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h
>+++ b/Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h
>@@ -61,14 +61,22 @@ public:
>     }
> 
> private:
>+    enum EmptyTag { Empty };
>+
>     UnlinkedMetadataTable();
>     UnlinkedMetadataTable(bool is32Bit);
>+    UnlinkedMetadataTable(EmptyTag);
> 
>     static Ref<UnlinkedMetadataTable> create(bool is32Bit)
>     {
>         return adoptRef(*new UnlinkedMetadataTable(is32Bit));
>     }
> 
>+    static Ref<UnlinkedMetadataTable> empty()
>+    {
>+        return adoptRef(*new UnlinkedMetadataTable(Empty));
>+    }
>+
>     void unlink(MetadataTable&);
> 
>     size_t sizeInBytes(MetadataTable&);
>diff --git a/Source/JavaScriptCore/bytecode/UnlinkedMetadataTableInlines.h b/Source/JavaScriptCore/bytecode/UnlinkedMetadataTableInlines.h
>index 32450da1e580c2e4f3b216dabf5e441a5bbc4a66..bb8e07c4c061aa57dc3223917f12307783a478c7 100644
>--- a/Source/JavaScriptCore/bytecode/UnlinkedMetadataTableInlines.h
>+++ b/Source/JavaScriptCore/bytecode/UnlinkedMetadataTableInlines.h
>@@ -49,6 +49,15 @@ ALWAYS_INLINE UnlinkedMetadataTable::UnlinkedMetadataTable(bool is32Bit)
> {
> }
> 
>+ALWAYS_INLINE UnlinkedMetadataTable::UnlinkedMetadataTable(EmptyTag)
>+    : m_hasMetadata(false)
>+    , m_isFinalized(true)
>+    , m_isLinked(false)
>+    , m_is32Bit(false)
>+    , m_rawBuffer(nullptr)
>+{
>+}
>+
> ALWAYS_INLINE UnlinkedMetadataTable::~UnlinkedMetadataTable()
> {
>     ASSERT(!m_isLinked);
>diff --git a/Source/JavaScriptCore/runtime/CachedTypes.cpp b/Source/JavaScriptCore/runtime/CachedTypes.cpp
>index dc280ce2c460c892ff454844d25accf11aa1f8ab..e0b4cbfb9a503fe72ff91719c77745d16079282e 100644
>--- a/Source/JavaScriptCore/runtime/CachedTypes.cpp
>+++ b/Source/JavaScriptCore/runtime/CachedTypes.cpp
>@@ -1360,6 +1360,9 @@ public:
> 
>     Ref<UnlinkedMetadataTable> decode(Decoder&) const
>     {
>+        if (!m_hasMetadata)
>+            return UnlinkedMetadataTable::empty();
>+
>         Ref<UnlinkedMetadataTable> metadataTable = UnlinkedMetadataTable::create(m_is32Bit);
>         metadataTable->m_isFinalized = true;
>         metadataTable->m_isLinked = false;

Actions: View | Formatted Diff | Diff

Attachments on bug 198465: 371137 | 371141