git://git.webkit.org / WebKit-https.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9e090d9)
Fix leak in PromiseDeferredTimer
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 31 May 2017 17:03:34 +0000 (17:03 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 31 May 2017 17:03:34 +0000 (17:03 +0000)
https://bugs.webkit.org/show_bug.cgi?id=172755

Reviewed by JF Bastien.

We were not properly freeing the list of dependencies if we were already tracking the promise before.
This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
where we were already tracking the promise we append the provided dependency list to the existing list.
Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
contents.

* runtime/PromiseDeferredTimer.cpp:
(JSC::PromiseDeferredTimer::addPendingPromise):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@217608 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog patch | blob | history
Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp patch | blob | history

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 1a71c59..d9f2c4f 100644 (file)
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,19 @@
+2017-05-31  Keith Miller  <keith_miller@apple.com>
+
+        Fix leak in PromiseDeferredTimer
+        https://bugs.webkit.org/show_bug.cgi?id=172755
+
+        Reviewed by JF Bastien.
+
+        We were not properly freeing the list of dependencies if we were already tracking the promise before.
+        This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
+        where we were already tracking the promise we append the provided dependency list to the existing list.
+        Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
+        contents.
+
+        * runtime/PromiseDeferredTimer.cpp:
+        (JSC::PromiseDeferredTimer::addPendingPromise):
+
 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
 
         Prevent async methods named 'function' in Object literal
diff --git a/Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp b/Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp
index 3dcaeaa..ba50087 100644 (file)
--- a/Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp
+++ b/Source/JavaScriptCore/runtime/PromiseDeferredTimer.cpp
@@ -109,8 +109,10 @@ void PromiseDeferredTimer::addPendingPromise(JSPromiseDeferred* ticket, Vector<S
         dependencies.append(Strong<JSCell>(*m_vm, ticket));
         result.iterator->value = WTFMove(dependencies);
     } else {
+        // We need to make sure we move dependencies into a non-reference type so we actually destruct it.
+        Vector<Strong<JSCell>> deps = WTFMove(dependencies);
         dataLogLnIf(verbose, "Adding new dependencies for promise: ", RawPointer(ticket));
-        result.iterator->value.appendVector(dependencies);
+        result.iterator->value.appendVector(deps);
     }
 
 #ifndef NDEBUG
Mirror of the WebKit open source project from svn.webkit.org.