[JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is...
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2019 07:13:00 +0000 (07:13 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2019 07:13:00 +0000 (07:13 +0000)
commitf81ccae1f7f6ec74d3840ed0ca40c0ca0f64dd47
treec230ba6436565b1b9a358205b506844ad8cebe6d
parent2eb660dc6cc88db79504fe08615022cb5158cec9
[JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed
https://bugs.webkit.org/show_bug.cgi?id=194031

Reviewed by Saam Barati.

UnlinkedMetadataTable assumes that MetadataTable linked against this UnlinkedMetadataTable is already destroyed when UnlinkedMetadataTable is destroyed.
This means that UnlinkedCodeBlock is destroyed after all the linked CodeBlocks are destroyed. But this assumption is not valid since GC's finalizer
sweeps objects without considering the dependencies among swept objects. UnlinkedMetadataTable can be destroyed even before linked MetadataTable is
destroyed if UnlinkedCodeBlock is destroyed before linked CodeBlock is destroyed.

To make the above assumption valid, we make UnlinkedMetadataTable RefCounted object, and make MetadataTable hold the strong ref to UnlinkedMetadataTable.
This ensures that UnlinkedMetadataTable is destroyed after all the linked MetadataTables are destroyed.

* bytecode/MetadataTable.cpp:
(JSC::MetadataTable::MetadataTable):
(JSC::MetadataTable::~MetadataTable):
* bytecode/UnlinkedCodeBlock.cpp:
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::UnlinkedCodeBlock::visitChildren):
(JSC::UnlinkedCodeBlock::estimatedSize):
(JSC::UnlinkedCodeBlock::setInstructions):
* bytecode/UnlinkedCodeBlock.h:
(JSC::UnlinkedCodeBlock::metadata):
(JSC::UnlinkedCodeBlock::metadataSizeInBytes):
* bytecode/UnlinkedMetadataTable.h:
(JSC::UnlinkedMetadataTable::create):
* bytecode/UnlinkedMetadataTableInlines.h:
(JSC::UnlinkedMetadataTable::UnlinkedMetadataTable):
* runtime/CachedTypes.cpp:
(JSC::CachedMetadataTable::decode const):
(JSC::CachedCodeBlock::metadata const):
(JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
(JSC::CachedCodeBlock<CodeBlockType>::decode const):
(JSC::CachedCodeBlock<CodeBlockType>::encode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240915 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/MetadataTable.cpp
Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp
Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.h
Source/JavaScriptCore/bytecode/UnlinkedMetadataTable.h
Source/JavaScriptCore/bytecode/UnlinkedMetadataTableInlines.h
Source/JavaScriptCore/runtime/CachedTypes.cpp