06086a90e0
http://build.chromium.org/p/client.v8/builders/V8%20Linux64%20ASAN The bug: The code assumed that a weak Persistent whose weak callback is being called would still be weak. That isn't true since the persistent is un-weakened by the garbage collector before calling the weak callback. [1] Specifically, PersistentValueMap would funnel all 'remove' actions through its Release method, which uses PersistentBase::ClearWeak to obtain the callback data. [2] For 'removes' caused by the weak callback, ClearWeak always returns a NULL-pointer since by that time the weak persistent was already un-weakend. The result was a memory leak in the test, since the code to delete the weak callback data would delete NULL. The fix: I explicity call Traits::DisposeCallbackData from the weak callback with the data obtained from the v8::WeakCallbackData. To avoid invalid calls to DisposeCallbackData, I also check whether this instance is (still) weak before calling it. (That check could easily be elided if it's expensive, for the price of having two 'remove' code paths.) Severety: Probably low. At least in Chromium, noone uses the API in a way to trigger this; only the test does. [1] https://code.google.com/p/chromium/codesearch#chromium/src/v8/src/global-handles.cc&q=global-handles.cc&sq=package:chromium&type=cs&l=231 [2] https://code.google.com/p/chromium/codesearch#chromium/src/v8/include/v8-util.h&sq=package:chromium&l=332-345 R=dcarney@chromium.org, dcarney BUG= Review URL: https://codereview.chromium.org/297193004 git-svn-id: https://v8.googlecode.com/svn/branches/bleeding_edge@21514 ce2b1a6d-e550-0410-aec6-3dcde31c8c00 |
||
|---|---|---|
| .. | ||
| v8-debug.h | ||
| v8-platform.h | ||
| v8-profiler.h | ||
| v8-testing.h | ||
| v8-util.h | ||
| v8.h | ||
| v8config.h | ||
| v8stdint.h | ||