Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Sep 2017 19:18:33 +0000 (19:18 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 22 Sep 2017 19:18:33 +0000 (19:18 +0000)
https://bugs.webkit.org/show_bug.cgi?id=177368

Reviewed by Keith Miller.

* runtime/ErrorInstance.cpp:
(JSC::ErrorInstance::finishCreation):
(JSC::ErrorInstance::materializeErrorInfoIfNeeded):
(JSC::ErrorInstance::visitChildren):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@222398 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/ErrorInstance.cpp

index a26c198..0112ca4 100644 (file)
@@ -1,3 +1,15 @@
+2017-09-22  Saam Barati  <sbarati@apple.com>
+
+        Usage of ErrorInstance::m_stackTrace on the mutator is racy with the collector
+        https://bugs.webkit.org/show_bug.cgi?id=177368
+
+        Reviewed by Keith Miller.
+
+        * runtime/ErrorInstance.cpp:
+        (JSC::ErrorInstance::finishCreation):
+        (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
+        (JSC::ErrorInstance::visitChildren):
+
 2017-09-22  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [DFG][FTL] Profile array vector length for array allocation
index 87a859c..1e80d93 100644 (file)
@@ -115,7 +115,13 @@ void ErrorInstance::finishCreation(ExecState* exec, VM& vm, const String& messag
     if (!message.isNull())
         putDirect(vm, vm.propertyNames->message, jsString(&vm, message), DontEnum);
 
-    m_stackTrace = getStackTrace(exec, vm, this, useCurrentFrame);
+    std::unique_ptr<Vector<StackFrame>> stackTrace = getStackTrace(exec, vm, this, useCurrentFrame);
+    {
+        auto locker = holdLock(*this);
+        m_stackTrace = WTFMove(stackTrace);
+    }
+    vm.heap.writeBarrier(this);
+
     if (m_stackTrace && !m_stackTrace->isEmpty() && hasSourceAppender()) {
         unsigned bytecodeOffset;
         CallFrame* callFrame;
@@ -202,7 +208,10 @@ void ErrorInstance::materializeErrorInfoIfNeeded(VM& vm)
         return;
     
     addErrorInfo(vm, m_stackTrace.get(), this);
-    m_stackTrace = nullptr;
+    {
+        auto locker = holdLock(*this);
+        m_stackTrace = nullptr;
+    }
     
     m_errorInfoMaterialized = true;
 }
@@ -222,9 +231,12 @@ void ErrorInstance::visitChildren(JSCell* cell, SlotVisitor& visitor)
     ASSERT_GC_OBJECT_INHERITS(thisObject, info());
     Base::visitChildren(thisObject, visitor);
 
-    if (thisObject->m_stackTrace) {
-        for (StackFrame& frame : *thisObject->m_stackTrace)
-            frame.visitChildren(visitor);
+    {
+        auto locker = holdLock(*thisObject);
+        if (thisObject->m_stackTrace) {
+            for (StackFrame& frame : *thisObject->m_stackTrace)
+                frame.visitChildren(visitor);
+        }
     }
 }