Set the activeLength of all ScratchBuffers to zero when exiting the VM
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Jun 2018 01:12:58 +0000 (01:12 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 5 Jun 2018 01:12:58 +0000 (01:12 +0000)
commit2d6d15db6a4995c7997d652b2a25abe2351d6b27
tree40a38b894a930cad90231431f4ade052a8c01324
parent0a73d9306b9687d2379a35bec2b60419a65f3b2e
Set the activeLength of all ScratchBuffers to zero when exiting the VM
https://bugs.webkit.org/show_bug.cgi?id=186284
<rdar://problem/40780738>

Reviewed by Keith Miller.

Simon recently found instances where we leak global objects from the
ScratchBuffer. Yusuke found that we forgot to set the active length
back to zero when doing catch OSR entry in the DFG/FTL. His solution
to this was adding a node that cleared the active length. This is
a good node to have, but it's not a complete solution: the DFG/FTL
could OSR exit before that node executes, which would cause us to leak
the data in it.

This patch makes it so that we set each scratch buffer's active length
to zero on VM exit. This helps prevent leaks for JS code that eventually
exits the VM (which is essentially all code on the web and all API users).

* runtime/VM.cpp:
(JSC::VM::clearScratchBuffers):
* runtime/VM.h:
* runtime/VMEntryScope.cpp:
(JSC::VMEntryScope::~VMEntryScope):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232490 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/VM.cpp
Source/JavaScriptCore/runtime/VM.h
Source/JavaScriptCore/runtime/VMEntryScope.cpp