Changeset 118616 in webkit for trunk/Source/JavaScriptCore/heap/WeakSetInlines.h

Timestamp:

May 26, 2012, 3:40:46 PM (13 years ago)

Author:

[email protected]

Message:

WebKit should be lazy-finalization-safe (esp. the DOM) v2
​https://bugs.webkit.org/show_bug.cgi?id=87581

Reviewed by Oliver Hunt.

../JavaScriptCore:

• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::callDestructor):

• heap/WeakBlock.h:
• heap/WeakSetInlines.h:

(JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
it's not valid to access GC pointers like the Structure pointer during
finalization. We NULL out the structure pointer in debug builds to try
to make this programming mistake more obvious.

• API/JSCallbackConstructor.cpp:

(JSC::JSCallbackConstructor::destroy):

• API/JSCallbackObject.cpp:

(JSC::::destroy):
(JSC::JSCallbackObjectData::finalize):

• runtime/Arguments.cpp:

(JSC::Arguments::destroy):

• runtime/DateInstance.cpp:

(JSC::DateInstance::destroy):

• runtime/Error.cpp:

(JSC::StrictModeTypeErrorFunction::destroy):

• runtime/Executable.cpp:

(JSC::ExecutableBase::destroy):
(JSC::NativeExecutable::destroy):
(JSC::ScriptExecutable::destroy):
(JSC::EvalExecutable::destroy):
(JSC::ProgramExecutable::destroy):
(JSC::FunctionExecutable::destroy):

• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::destroy):

• runtime/JSPropertyNameIterator.cpp:

(JSC::JSPropertyNameIterator::destroy):

• runtime/JSStaticScopeObject.cpp:

(JSC::JSStaticScopeObject::destroy):

• runtime/JSString.cpp:

(JSC::JSString::destroy):

• runtime/JSVariableObject.cpp:

(JSC::JSVariableObject::destroy):

• runtime/NameInstance.cpp:

(JSC::NameInstance::destroy):

• runtime/RegExp.cpp:

(JSC::RegExp::destroy):

• runtime/RegExpConstructor.cpp:

(JSC::RegExpConstructor::destroy):

• runtime/Structure.cpp:

(JSC::Structure::destroy):

• runtime/StructureChain.cpp:

(JSC::StructureChain::destroy): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

../WebCore:

• bindings/js/JSDOMGlobalObject.cpp:

(WebCore::JSDOMGlobalObject::destroy):

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::destroy):

• bindings/js/JSDOMWindowShell.cpp:

(WebCore::JSDOMWindowShell::destroy):

• bindings/js/JSNodeCustom.cpp:

(WebCore::JSNodeOwner::finalize):

• bindings/js/JSWorkerContextBase.cpp:

(WebCore::JSWorkerContextBase::destroy):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateImplementation):

• bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:

(WebCore::JSTestActiveDOMObject::destroy):
(WebCore::JSTestActiveDOMObjectOwner::finalize):

• bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:

(WebCore::JSTestCustomNamedGetter::destroy):
(WebCore::JSTestCustomNamedGetterOwner::finalize):

• bindings/scripts/test/JS/JSTestEventConstructor.cpp:

(WebCore::JSTestEventConstructor::destroy):
(WebCore::JSTestEventConstructorOwner::finalize):

• bindings/scripts/test/JS/JSTestEventTarget.cpp:

(WebCore::JSTestEventTarget::destroy):
(WebCore::JSTestEventTargetOwner::finalize):

• bindings/scripts/test/JS/JSTestException.cpp:

(WebCore::JSTestException::destroy):
(WebCore::JSTestExceptionOwner::finalize):

• bindings/scripts/test/JS/JSTestInterface.cpp:

(WebCore::JSTestInterface::destroy):
(WebCore::JSTestInterfaceOwner::finalize):

• bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:

(WebCore::JSTestMediaQueryListListener::destroy):
(WebCore::JSTestMediaQueryListListenerOwner::finalize):

• bindings/scripts/test/JS/JSTestNamedConstructor.cpp:

(WebCore::JSTestNamedConstructor::destroy):
(WebCore::JSTestNamedConstructorOwner::finalize):

• bindings/scripts/test/JS/JSTestObj.cpp:

(WebCore::JSTestObj::destroy):
(WebCore::JSTestObjOwner::finalize):

• bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:

(WebCore::JSTestSerializedScriptValueInterface::destroy):
(WebCore::JSTestSerializedScriptValueInterfaceOwner::finalize):

• bridge/objc/objc_runtime.mm:

(JSC::Bindings::ObjcFallbackObjectImp::destroy):

• bridge/qt/qt_runtime.cpp:

(JSC::Bindings::QtRuntimeMethod::destroy):

• bridge/qt/qt_runtime_qt4.cpp:

(JSC::Bindings::QtRuntimeMethod::destroy):

• bridge/runtime_array.cpp:

(JSC::RuntimeArray::destroy):

• bridge/runtime_method.cpp:

(JSC::RuntimeMethod::destroy):

• bridge/runtime_object.cpp:

(JSC::Bindings::RuntimeObject::destroy):

• bridge/runtime_root.cpp:

(JSC::Bindings::RootObject::finalize): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

../WebKit2:

• WebProcess/Plugins/Netscape/JSNPObject.cpp:

(WebKit::JSNPObject::destroy):
(WebKit::JSNPObject::leakNPObject):

• WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:

(WebKit::NPRuntimeObjectMap::finalize): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

File:

• trunk/Source/JavaScriptCore/heap/WeakSetInlines.h (modified) (1 diff)

trunk/Source/JavaScriptCore/heap/WeakSetInlines.h

@@ -43 +43 @@
 }
 
+inline void WeakBlock::finalize(WeakImpl* weakImpl)
+{
+    ASSERT(weakImpl->state() == WeakImpl::Dead);
+    weakImpl->setState(WeakImpl::Finalized);
+    WeakHandleOwner* weakHandleOwner = weakImpl->weakHandleOwner();
+    if (!weakHandleOwner)
+        return;
+#if !ASSERT_DISABLED || ENABLE(GC_VALIDATION)
+    weakImpl->jsValue().asCell()->clearStructure();
+#endif
+    weakHandleOwner->finalize(Handle<Unknown>::wrapSlot(&const_cast<JSValue&>(weakImpl->jsValue())), weakImpl->context());
+}
+
 } // namespace JSC