Changeset 253443 in webkit for trunk/Source/JavaScriptCore/heap

Timestamp:

Dec 12, 2019, 1:33:55 PM (5 years ago)

Author:

[email protected]

Message:

[JSC] Lock-down JSGlobalObject and derived classes in IsoSubspace
​https://bugs.webkit.org/show_bug.cgi?id=205108

Reviewed by Mark Lam.

Source/JavaScriptCore:

This patch puts JSGlobalLexicalEnvironment and JSGlobalObject (and its derived classes including JSDOMWindow etc.) in IsoSubspace.
We were using addFinalizer feature to call destructors for these objects since they do not inherit JSDestructibleObject. But now
each derived classes has its IsoSubspace. So we do not need to use finalizer feature: just setting specialized HeapCellType works.

• API/JSAPIGlobalObject.h:
• API/JSCallbackObject.cpp:
• API/glib/JSAPIWrapperGlobalObject.cpp:
• JavaScriptCore.xcodeproj/project.pbxproj:
• bytecode/SuperSampler.h:
• heap/CellAttributes.h:
• heap/FreeList.h:
• heap/IsoHeapCellType.cpp:

(JSC::IsoHeapCellType::IsoHeapCellType):

• heap/IsoHeapCellType.h:
• heap/MarkedBlock.cpp:

(JSC::MarkedBlock::Handle::setIsFreeListed): Deleted.

• heap/MarkedBlockInlines.h:

(JSC::MarkedBlock::Handle::setIsFreeListed):

• jsc.cpp:

(GlobalObject::create): Deleted.
(GlobalObject::createStructure): Deleted.
(GlobalObject::javaScriptRuntimeFlags): Deleted.
(GlobalObject::finishCreation): Deleted.
(GlobalObject::addFunction): Deleted.

• runtime/JSGlobalLexicalEnvironment.h:
• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::subspaceFor):

• runtime/JSSegmentedVariableObject.cpp:

(JSC::JSSegmentedVariableObject::JSSegmentedVariableObject):
(JSC::JSSegmentedVariableObject::finishCreation):
(JSC::JSSegmentedVariableObject::destroy): Deleted.

• runtime/JSSegmentedVariableObject.h:

(JSC::JSSegmentedVariableObject::subspaceFor):
(JSC::JSSegmentedVariableObject::classInfo const): Deleted.

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:
• testRegExp.cpp:

(GlobalObject::create): Deleted.
(GlobalObject::createStructure): Deleted.
(GlobalObject::finishCreation): Deleted.

Source/WebCore:

We put derived classes of JSGlobalObject in IsoSubspace in WebCore side too.

• bindings/js/JSDOMGlobalObject.h:
• bindings/js/JSDOMWindowBase.h:
• bindings/js/JSDOMWrapper.cpp:

(WebCore::globalObjectOutputConstraintSubspaceFor): Deleted.

• bindings/js/JSDOMWrapper.h:
• bindings/js/JSRemoteDOMWindowBase.h:
• bindings/js/JSWindowProxy.h:
• bindings/js/JSWorkerGlobalScopeBase.h:

(WebCore::JSWorkerGlobalScopeBase::subspaceFor):

• bindings/js/JSWorkletGlobalScopeBase.h:

(WebCore::JSWorkletGlobalScopeBase::subspaceFor):

• bindings/js/WebCoreJSClientData.cpp:

(WebCore::JSVMClientData::JSVMClientData):

• bindings/js/WebCoreJSClientData.h:

(WebCore::JSVMClientData::subspaceForJSDOMWindow):
(WebCore::JSVMClientData::subspaceForJSDedicatedWorkerGlobalScope):
(WebCore::JSVMClientData::subspaceForJSRemoteDOMWindow):
(WebCore::JSVMClientData::subspaceForJSWorkerGlobalScope):
(WebCore::JSVMClientData::subspaceForJSServiceWorkerGlobalScope):
(WebCore::JSVMClientData::subspaceForJSPaintWorkletGlobalScope):
(WebCore::JSVMClientData::subspaceForJSWorkletGlobalScope):
(WebCore::JSVMClientData::forEachOutputConstraintSpace):
(WebCore::JSVMClientData::globalObjectOutputConstraintSpace): Deleted.

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):
(GenerateImplementation):
(GeneratePrototypeDeclaration):

• bindings/scripts/test/JS/JSInterfaceName.cpp:
• bindings/scripts/test/JS/JSMapLike.cpp:
• bindings/scripts/test/JS/JSReadOnlyMapLike.cpp:
• bindings/scripts/test/JS/JSReadOnlySetLike.cpp:
• bindings/scripts/test/JS/JSSetLike.cpp:
• bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
• bindings/scripts/test/JS/JSTestCEReactions.cpp:
• bindings/scripts/test/JS/JSTestCEReactionsStringifier.cpp:
• bindings/scripts/test/JS/JSTestCallTracer.cpp:
• bindings/scripts/test/JS/JSTestClassWithJSBuiltinConstructor.cpp:
• bindings/scripts/test/JS/JSTestDOMJIT.cpp:
• bindings/scripts/test/JS/JSTestEnabledBySetting.cpp:
• bindings/scripts/test/JS/JSTestEnabledForContext.cpp:
• bindings/scripts/test/JS/JSTestEventConstructor.cpp:
• bindings/scripts/test/JS/JSTestEventTarget.cpp:
• bindings/scripts/test/JS/JSTestException.cpp:
• bindings/scripts/test/JS/JSTestGenerateIsReachable.cpp:
• bindings/scripts/test/JS/JSTestGlobalObject.cpp:

(WebCore::JSTestGlobalObject::subspaceForImpl):

• bindings/scripts/test/JS/JSTestGlobalObject.h:

(WebCore::JSTestGlobalObject::subspaceFor):

• bindings/scripts/test/JS/JSTestIndexedSetterNoIdentifier.cpp:
• bindings/scripts/test/JS/JSTestIndexedSetterThrowingException.cpp:
• bindings/scripts/test/JS/JSTestIndexedSetterWithIdentifier.cpp:
• bindings/scripts/test/JS/JSTestInterface.cpp:
• bindings/scripts/test/JS/JSTestInterfaceLeadingUnderscore.cpp:
• bindings/scripts/test/JS/JSTestIterable.cpp:
• bindings/scripts/test/JS/JSTestJSBuiltinConstructor.cpp:
• bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterNoIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterThrowingException.cpp:
• bindings/scripts/test/JS/JSTestNamedAndIndexedSetterWithIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
• bindings/scripts/test/JS/JSTestNamedDeleterNoIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedDeleterThrowingException.cpp:
• bindings/scripts/test/JS/JSTestNamedDeleterWithIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedDeleterWithIndexedGetter.cpp:
• bindings/scripts/test/JS/JSTestNamedGetterCallWith.cpp:
• bindings/scripts/test/JS/JSTestNamedGetterNoIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedGetterWithIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterNoIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterThrowingException.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterWithIdentifier.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetter.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterWithIndexedGetterAndSetter.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterWithOverrideBuiltins.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterWithUnforgableProperties.cpp:
• bindings/scripts/test/JS/JSTestNamedSetterWithUnforgablePropertiesAndOverrideBuiltins.cpp:
• bindings/scripts/test/JS/JSTestNode.cpp:
• bindings/scripts/test/JS/JSTestObj.cpp:
• bindings/scripts/test/JS/JSTestOverloadedConstructors.cpp:
• bindings/scripts/test/JS/JSTestOverloadedConstructorsWithSequence.cpp:
• bindings/scripts/test/JS/JSTestOverrideBuiltins.cpp:
• bindings/scripts/test/JS/JSTestPluginInterface.cpp:
• bindings/scripts/test/JS/JSTestPromiseRejectionEvent.cpp:
• bindings/scripts/test/JS/JSTestSerialization.cpp:
• bindings/scripts/test/JS/JSTestSerializationIndirectInheritance.cpp:
• bindings/scripts/test/JS/JSTestSerializationInherit.cpp:
• bindings/scripts/test/JS/JSTestSerializationInheritFinal.cpp:
• bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
• bindings/scripts/test/JS/JSTestStringifier.cpp:
• bindings/scripts/test/JS/JSTestStringifierAnonymousOperation.cpp:
• bindings/scripts/test/JS/JSTestStringifierNamedOperation.cpp:
• bindings/scripts/test/JS/JSTestStringifierOperationImplementedAs.cpp:
• bindings/scripts/test/JS/JSTestStringifierOperationNamedToString.cpp:
• bindings/scripts/test/JS/JSTestStringifierReadOnlyAttribute.cpp:
• bindings/scripts/test/JS/JSTestStringifierReadWriteAttribute.cpp:
• bindings/scripts/test/JS/JSTestTypedefs.cpp:
• bridge/runtime_method.h:

Location:

trunk/Source/JavaScriptCore/heap

Files:

• CellAttributes.h (modified) (1 diff)
• FreeList.h (modified) (2 diffs)
• IsoHeapCellType.cpp (modified) (1 diff)
• IsoHeapCellType.h (modified) (2 diffs)
• MarkedBlock.cpp (modified) (1 diff)
• MarkedBlockInlines.h (modified) (1 diff)

trunk/Source/JavaScriptCore/heap/CellAttributes.h

@@ -41 +41 @@
     }
     
-    void dump(PrintStream& out) const;
+    JS_EXPORT_PRIVATE void dump(PrintStream& out) const;
     
     DestructionMode destruction { DoesNotNeedDestruction };

trunk/Source/JavaScriptCore/heap/FreeList.h

@@ -67 +67 @@
     void clear();
     
-    void initializeList(FreeCell* head, uintptr_t secret, unsigned bytes);
-    void initializeBump(char* payloadEnd, unsigned remaining);
+    JS_EXPORT_PRIVATE void initializeList(FreeCell* head, uintptr_t secret, unsigned bytes);
+    JS_EXPORT_PRIVATE void initializeBump(char* payloadEnd, unsigned remaining);
     
     bool allocationWillFail() const { return !head() && !m_remaining; }
@@ -90 +90 @@
     static ptrdiff_t offsetOfCellSize() { return OBJECT_OFFSETOF(FreeList, m_cellSize); }
     
-    void dump(PrintStream&) const;
+    JS_EXPORT_PRIVATE void dump(PrintStream&) const;
 
     unsigned cellSize() const { return m_cellSize; }

trunk/Source/JavaScriptCore/heap/IsoHeapCellType.cpp

@@ -32 +32 @@
 namespace JSC {
 
+IsoHeapCellType::IsoHeapCellType(DestructionMode destructionMode, DestroyFunctionPtr destroyFunction)
+    : HeapCellType(CellAttributes(destructionMode, HeapCell::JSCell))
+    , m_destroy(destroyFunction)
+{
+}
+
 void IsoHeapCellType::finishSweep(MarkedBlock::Handle& handle, FreeList* freeList)
 {

trunk/Source/JavaScriptCore/heap/IsoHeapCellType.h

@@ -33 +33 @@
     using DestroyFunctionPtr = void (*)(JSCell*);
 
-    IsoHeapCellType(DestructionMode destructionMode, DestroyFunctionPtr destroyFunction)
-        : HeapCellType(CellAttributes(destructionMode, HeapCell::JSCell))
-        , m_destroy(destroyFunction)
-    {
-    }
+    JS_EXPORT_PRIVATE IsoHeapCellType(DestructionMode, DestroyFunctionPtr);
 
     template<typename CellType>
@@ -45 +41 @@
     }
 
-    void finishSweep(MarkedBlock::Handle&, FreeList*) override;
-    void destroy(VM&, JSCell*) override;
+    JS_EXPORT_PRIVATE void finishSweep(MarkedBlock::Handle&, FreeList*) override;
+    JS_EXPORT_PRIVATE void destroy(VM&, JSCell*) override;
 
     ALWAYS_INLINE void operator()(VM&, JSCell* cell) const

trunk/Source/JavaScriptCore/heap/MarkedBlock.cpp

@@ -112 +112 @@
     RELEASE_ASSERT(m_isFreeListed);
     m_isFreeListed = false;
-}
-
-void MarkedBlock::Handle::setIsFreeListed()
-{
-    m_directory->setIsEmpty(NoLockingNecessary, this, false);
-    m_isFreeListed = true;
 }
 

trunk/Source/JavaScriptCore/heap/MarkedBlockInlines.h

@@ -484 +484 @@
 }
 
+inline void MarkedBlock::Handle::setIsFreeListed()
+{
+    m_directory->setIsEmpty(NoLockingNecessary, this, false);
+    m_isFreeListed = true;
+}
+
 template <typename Functor>
 inline IterationStatus MarkedBlock::Handle::forEachLiveCell(const Functor& functor)