Changeset 159351 in webkit for trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm

Timestamp:

Nov 15, 2013, 11:53:30 AM (12 years ago)

Author:

[email protected]

Message:

-dealloc callbacks from wrapped Objective-C objects can happen at bad times
​https://bugs.webkit.org/show_bug.cgi?id=123821

Reviewed by Darin Adler.

Currently with the JSC Obj-C API, JS wrappers for client Obj-C objects retain their associated Obj-C
object. When they are swept, they release their Obj-C objects which can trigger a call to that
object's -dealloc method. These -dealloc methods can then call back into the same VM, which is not
allowed during sweeping or VM shutdown.

We can handle this case by creating our own pool of Obj-C objects to be released when it is safe to do so.
This is accomplished by using DelayedReleaseScope, an RAII-style object that will retain all objects
that are unsafe to release until the end of the DelayedReleaseScope.

• API/APIShims.h:

(JSC::APICallbackShim::APICallbackShim):
(JSC::APICallbackShim::vmForDropAllLocks):
(JSC::APICallbackShim::execForDropAllLocks):

• API/JSAPIWrapperObject.mm:

(JSAPIWrapperObjectHandleOwner::finalize):

• API/ObjCCallbackFunction.mm:

(JSC::ObjCCallbackFunctionImpl::destroy):
(JSC::ObjCCallbackFunction::destroy):

• API/tests/testapi.mm:

(-[TinyDOMNode initWithVirtualMachine:]):
(-[TinyDOMNode dealloc]):
(-[TinyDOMNode appendChild:]):
(-[TinyDOMNode removeChildAtIndex:]):
(-[EvilAllocationObject initWithContext:]):
(-[EvilAllocationObject dealloc]):
(-[EvilAllocationObject doEvilThingsWithContext:]):

• JavaScriptCore.xcodeproj/project.pbxproj:
• heap/DelayedReleaseScope.h: Added.

(JSC::DelayedReleaseScope::DelayedReleaseScope):
(JSC::DelayedReleaseScope::~DelayedReleaseScope):
(JSC::DelayedReleaseScope::releaseSoon):
(JSC::MarkedSpace::releaseSoon):

• heap/Heap.cpp:

(JSC::Heap::collectAllGarbage):

• heap/Heap.h:

(JSC::Heap::releaseSoon):

• heap/MarkedAllocator.cpp:

(JSC::MarkedAllocator::allocateSlowCase):

• heap/MarkedSpace.cpp:

(JSC::MarkedSpace::MarkedSpace):
(JSC::MarkedSpace::lastChanceToFinalize):
(JSC::MarkedSpace::sweep):

• heap/MarkedSpace.h:

File:

• trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm (modified) (3 diffs)

trunk/Source/JavaScriptCore/API/ObjCCallbackFunction.mm

@@ -32 +32 @@
 #import "APICast.h"
 #import "APIShims.h"
+#import "DelayedReleaseScope.h"
 #import "Error.h"
 #import "JSCJSValueInlines.h"
@@ -406 +407 @@
     }
 
-    ~ObjCCallbackFunctionImpl()
-    {
-        // We need to explicity release the target since we didn't call 
+    void destroy(Heap& heap)
+    {
+        // We need to explicitly release the target since we didn't call 
         // -retainArguments on m_invocation (and we don't want to do so).
         if (m_type == CallbackBlock || m_type == CallbackClassMethod)
-            [[m_invocation.get() target] release];
+            heap.releaseSoon(adoptNS([m_invocation.get() target]));
         [m_instanceClass release];
     }
@@ -521 +522 @@
 void ObjCCallbackFunction::destroy(JSCell* cell)
 {
-    static_cast<ObjCCallbackFunction*>(cell)->ObjCCallbackFunction::~ObjCCallbackFunction();
+    ObjCCallbackFunction& function = *jsCast<ObjCCallbackFunction*>(cell);
+    function.impl()->destroy(*Heap::heap(cell));
+    function.~ObjCCallbackFunction();
 }