- Revision
- 93688
- Author
- [email protected]
- Date
- 2011-08-23 19:05:33 -0700 (Tue, 23 Aug 2011)
Log Message
Add checks to ensure allocation does not take place during initialization of GC-managed objects
https://bugs.webkit.org/show_bug.cgi?id=65288
Patch by Mark Hahnenberg <[email protected]> on 2011-08-23
Reviewed by Darin Adler.
Source/_javascript_Core:
Adding the new validation functionality. In its current state, it will performs checks,
but they don't fail unless you do allocation in the arguments to the parent constructor in the
initialization list of a class. The allocateCell() method turns on the global flag disallowing any new
allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still
allowed in constructor bodies while other refactoring efforts continue.
* runtime/JSCell.h:
(JSC::JSCell::JSCell::constructorBody):
(JSC::JSCell::JSCell::JSCell):
(JSC::JSCell::allocateCell):
* runtime/JSGlobalData.cpp:
(JSC::JSGlobalData::JSGlobalData):
* runtime/JSGlobalData.h:
(JSC::JSGlobalData::isInitializingObject):
(JSC::JSGlobalData::setInitializingObject):
* runtime/StringObjectThatMasqueradesAsUndefined.h:
(JSC::StringObjectThatMasqueradesAsUndefined::create):
Source/WebCore:
No new tests.
Adding the new validation functionality. In its current state, it will performs checks,
but they don't fail unless you do allocation in the arguments to the parent constructor in the
initialization list of a class. The allocateCell() method turns on the global flag disallowing any new
allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still
allowed in constructor bodies while other refactoring efforts continue.
* bindings/js/JSDOMWindowShell.cpp:
(WebCore::JSDOMWindowShell::operator new):
* bindings/js/JSDOMWindowShell.h:
Source/WebKit/mac:
Adding the new validation functionality. In its current state, it will performs checks,
but they don't fail unless you do allocation in the arguments to the parent constructor in the
initialization list of a class. The allocateCell() method turns on the global flag disallowing any new
allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still
allowed in constructor bodies while other refactoring efforts continue.
* Plugins/Hosted/ProxyRuntimeObject.h:
(WebKit::ProxyRuntimeObject::create):
* Plugins/Hosted/ProxyRuntimeObject.mm:
(WebKit::ProxyRuntimeObject::ProxyRuntimeObject):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (93687 => 93688)
--- trunk/Source/_javascript_Core/ChangeLog 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-08-24 02:05:33 UTC (rev 93688)
@@ -1,3 +1,28 @@
+2011-08-23 Mark Hahnenberg <[email protected]>
+
+ Add checks to ensure allocation does not take place during initialization of GC-managed objects
+ https://bugs.webkit.org/show_bug.cgi?id=65288
+
+ Reviewed by Darin Adler.
+
+ Adding the new validation functionality. In its current state, it will performs checks,
+ but they don't fail unless you do allocation in the arguments to the parent constructor in the
+ initialization list of a class. The allocateCell() method turns on the global flag disallowing any new
+ allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still
+ allowed in constructor bodies while other refactoring efforts continue.
+
+ * runtime/JSCell.h:
+ (JSC::JSCell::JSCell::constructorBody):
+ (JSC::JSCell::JSCell::JSCell):
+ (JSC::JSCell::allocateCell):
+ * runtime/JSGlobalData.cpp:
+ (JSC::JSGlobalData::JSGlobalData):
+ * runtime/JSGlobalData.h:
+ (JSC::JSGlobalData::isInitializingObject):
+ (JSC::JSGlobalData::setInitializingObject):
+ * runtime/StringObjectThatMasqueradesAsUndefined.h:
+ (JSC::StringObjectThatMasqueradesAsUndefined::create):
+
2011-08-23 Gavin Barraclough <[email protected]>
https://bugs.webkit.org/show_bug.cgi?id=55347
Modified: trunk/Source/_javascript_Core/runtime/JSCell.h (93687 => 93688)
--- trunk/Source/_javascript_Core/runtime/JSCell.h 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/_javascript_Core/runtime/JSCell.h 2011-08-24 02:05:33 UTC (rev 93688)
@@ -151,6 +151,9 @@
protected:
static const unsigned AnonymousSlotCount = 0;
+ void constructorBody(JSGlobalData&);
+ void constructorBody(JSGlobalData&, Structure*, CreatingEarlyCellTag);
+
private:
// Base implementation; for non-object classes implements getPropertySlot.
virtual bool getOwnPropertySlot(ExecState*, const Identifier& propertyName, PropertySlot&);
@@ -167,12 +170,29 @@
inline JSCell::JSCell(JSGlobalData& globalData, Structure* structure)
: m_structure(globalData, this, structure)
{
- ASSERT(m_structure);
+ constructorBody(globalData);
}
inline JSCell::JSCell(JSGlobalData& globalData, Structure* structure, CreatingEarlyCellTag)
{
+ constructorBody(globalData, structure, CreatingEarlyCell);
+ }
+
+ inline void JSCell::constructorBody(JSGlobalData& globalData)
+ {
#if ENABLE(GC_VALIDATION)
+ ASSERT(globalData.isInitializingObject());
+ globalData.setInitializingObject(false);
+#else
+ UNUSED_PARAM(globalData);
+#endif
+ ASSERT(m_structure);
+ }
+
+ inline void JSCell::constructorBody(JSGlobalData& globalData, Structure* structure, CreatingEarlyCellTag)
+ {
+#if ENABLE(GC_VALIDATION)
+ globalData.setInitializingObject(false);
if (structure)
#endif
m_structure.setEarlyValue(globalData, this, structure);
@@ -349,6 +369,10 @@
template <typename T> void* allocateCell(Heap& heap)
{
+#if ENABLE(GC_VALIDATION)
+ ASSERT(!heap.globalData()->isInitializingObject());
+ heap.globalData()->setInitializingObject(true);
+#endif
return heap.allocate(sizeof(T));
}
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp (93687 => 93688)
--- trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.cpp 2011-08-24 02:05:33 UTC (rev 93688)
@@ -201,6 +201,9 @@
#ifndef NDEBUG
, exclusiveThread(0)
#endif
+#if ENABLE(GC_VALIDATION)
+ , m_isInitializingObject(false)
+#endif
{
interpreter = new Interpreter;
if (globalDataType == Default)
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalData.h (93687 => 93688)
--- trunk/Source/_javascript_Core/runtime/JSGlobalData.h 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalData.h 2011-08-24 02:05:33 UTC (rev 93688)
@@ -279,6 +279,11 @@
bool isCollectorBusy() { return heap.isBusy(); }
void releaseExecutableMemory();
+#if ENABLE(GC_VALIDATION)
+ bool isInitializingObject() const;
+ void setInitializingObject(bool);
+#endif
+
private:
JSGlobalData(GlobalDataType, ThreadStackType, HeapSize);
static JSGlobalData*& sharedInstanceInternal();
@@ -287,6 +292,9 @@
bool m_canUseJIT;
#endif
StackBounds m_stack;
+#if ENABLE(GC_VALIDATION)
+ bool m_isInitializingObject;
+#endif
};
inline HandleSlot allocateGlobalHandle(JSGlobalData& globalData)
@@ -294,6 +302,18 @@
return globalData.allocateGlobalHandle();
}
+#if ENABLE(GC_VALIDATION)
+ inline bool JSGlobalData::isInitializingObject() const
+ {
+ return m_isInitializingObject;
+ }
+
+ inline void JSGlobalData::setInitializingObject(bool initializingObject)
+ {
+ m_isInitializingObject = initializingObject;
+ }
+#endif
+
} // namespace JSC
#endif // JSGlobalData_h
Modified: trunk/Source/_javascript_Core/runtime/StringObjectThatMasqueradesAsUndefined.h (93687 => 93688)
--- trunk/Source/_javascript_Core/runtime/StringObjectThatMasqueradesAsUndefined.h 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/_javascript_Core/runtime/StringObjectThatMasqueradesAsUndefined.h 2011-08-24 02:05:33 UTC (rev 93688)
@@ -35,8 +35,8 @@
static StringObjectThatMasqueradesAsUndefined* create(ExecState* exec, const UString& string)
{
JSString* newString = jsString(exec, string);
- return new (allocateCell<StringObjectThatMasqueradesAsUndefined>(*exec->heap())) StringObjectThatMasqueradesAsUndefined(exec,
- createStructure(exec->globalData(), exec->lexicalGlobalObject()->stringPrototype()), newString);
+ Structure* structure = createStructure(exec->globalData(), exec->lexicalGlobalObject()->stringPrototype());
+ return new (allocateCell<StringObjectThatMasqueradesAsUndefined>(*exec->heap())) StringObjectThatMasqueradesAsUndefined(exec, structure, newString);
}
private:
Modified: trunk/Source/WebCore/ChangeLog (93687 => 93688)
--- trunk/Source/WebCore/ChangeLog 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/WebCore/ChangeLog 2011-08-24 02:05:33 UTC (rev 93688)
@@ -1,3 +1,22 @@
+2011-08-23 Mark Hahnenberg <[email protected]>
+
+ Add checks to ensure allocation does not take place during initialization of GC-managed objects
+ https://bugs.webkit.org/show_bug.cgi?id=65288
+
+ Reviewed by Darin Adler.
+
+ No new tests.
+
+ Adding the new validation functionality. In its current state, it will performs checks,
+ but they don't fail unless you do allocation in the arguments to the parent constructor in the
+ initialization list of a class. The allocateCell() method turns on the global flag disallowing any new
+ allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still
+ allowed in constructor bodies while other refactoring efforts continue.
+
+ * bindings/js/JSDOMWindowShell.cpp:
+ (WebCore::JSDOMWindowShell::operator new):
+ * bindings/js/JSDOMWindowShell.h:
+
2011-08-23 Scott Byer <[email protected]>
ScrollAnimatorNone coasting implementation
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp (93687 => 93688)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowShell.cpp 2011-08-24 02:05:33 UTC (rev 93688)
@@ -167,7 +167,12 @@
void* JSDOMWindowShell::operator new(size_t size)
{
- return JSDOMWindow::commonJSGlobalData()->heap.allocate(size);
+ Heap& heap = JSDOMWindow::commonJSGlobalData()->heap;
+#if ENABLE(GC_VALIDATION)
+ ASSERT(!heap.globalData()->isInitializingObject());
+ heap.globalData()->setInitializingObject(true);
+#endif
+ return heap.allocate(size);
}
// ----
Modified: trunk/Source/WebKit/mac/ChangeLog (93687 => 93688)
--- trunk/Source/WebKit/mac/ChangeLog 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/WebKit/mac/ChangeLog 2011-08-24 02:05:33 UTC (rev 93688)
@@ -1,3 +1,21 @@
+2011-08-23 Mark Hahnenberg <[email protected]>
+
+ Add checks to ensure allocation does not take place during initialization of GC-managed objects
+ https://bugs.webkit.org/show_bug.cgi?id=65288
+
+ Reviewed by Darin Adler.
+
+ Adding the new validation functionality. In its current state, it will performs checks,
+ but they don't fail unless you do allocation in the arguments to the parent constructor in the
+ initialization list of a class. The allocateCell() method turns on the global flag disallowing any new
+ allocations, and the constructorBody() method in JSCell turns it off. This way, allocation is still
+ allowed in constructor bodies while other refactoring efforts continue.
+
+ * Plugins/Hosted/ProxyRuntimeObject.h:
+ (WebKit::ProxyRuntimeObject::create):
+ * Plugins/Hosted/ProxyRuntimeObject.mm:
+ (WebKit::ProxyRuntimeObject::ProxyRuntimeObject):
+
2011-08-18 Beth Dakin <[email protected]>
Reviewed by Sam Weinig.
Modified: trunk/Source/WebKit/mac/Plugins/Hosted/ProxyRuntimeObject.h (93687 => 93688)
--- trunk/Source/WebKit/mac/Plugins/Hosted/ProxyRuntimeObject.h 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/WebKit/mac/Plugins/Hosted/ProxyRuntimeObject.h 2011-08-24 02:05:33 UTC (rev 93688)
@@ -28,6 +28,7 @@
#ifndef ProxyRuntimeObject_h
#define ProxyRuntimeObject_h
+#include <WebCore/JSDOMBinding.h>
#include <WebCore/runtime_object.h>
namespace WebKit {
@@ -40,7 +41,10 @@
static ProxyRuntimeObject* create(JSC::ExecState* exec, JSC::JSGlobalObject* globalObject, PassRefPtr<ProxyInstance> instance)
{
- return new (JSC::allocateCell<ProxyRuntimeObject>(*exec->heap())) ProxyRuntimeObject(exec, globalObject, instance);
+ // FIXME: deprecatedGetDOMStructure uses the prototype off of the wrong global object.
+ // exec->globalData() is also likely wrong.
+ JSC::Structure* structure = WebCore::deprecatedGetDOMStructure<ProxyRuntimeObject>(exec);
+ return new (JSC::allocateCell<ProxyRuntimeObject>(*exec->heap())) ProxyRuntimeObject(exec, globalObject, structure, instance);
}
virtual ~ProxyRuntimeObject();
@@ -54,7 +58,7 @@
static const JSC::ClassInfo s_info;
private:
- ProxyRuntimeObject(JSC::ExecState*, JSC::JSGlobalObject*, PassRefPtr<ProxyInstance>);
+ ProxyRuntimeObject(JSC::ExecState*, JSC::JSGlobalObject*, JSC::Structure*, PassRefPtr<ProxyInstance>);
};
}
Modified: trunk/Source/WebKit/mac/Plugins/Hosted/ProxyRuntimeObject.mm (93687 => 93688)
--- trunk/Source/WebKit/mac/Plugins/Hosted/ProxyRuntimeObject.mm 2011-08-24 02:00:10 UTC (rev 93687)
+++ trunk/Source/WebKit/mac/Plugins/Hosted/ProxyRuntimeObject.mm 2011-08-24 02:05:33 UTC (rev 93688)
@@ -26,7 +26,6 @@
#if USE(PLUGIN_HOST_PROCESS)
#include "runtime/ObjectPrototype.h"
-#include <WebCore/JSDOMBinding.h>
#include "ProxyInstance.h"
#include "ProxyRuntimeObject.h"
@@ -37,10 +36,8 @@
const ClassInfo ProxyRuntimeObject::s_info = { "ProxyRuntimeObject", &RuntimeObject::s_info, 0, 0 };
-ProxyRuntimeObject::ProxyRuntimeObject(ExecState* exec, JSGlobalObject* globalObject, PassRefPtr<ProxyInstance> instance)
- // FIXME: deprecatedGetDOMStructure uses the prototype off of the wrong global object
- // exec-globalData() is also likely wrong.
- : RuntimeObject(exec, globalObject, WebCore::deprecatedGetDOMStructure<ProxyRuntimeObject>(exec), instance)
+ProxyRuntimeObject::ProxyRuntimeObject(ExecState* exec, JSGlobalObject* globalObject, Structure* structure, PassRefPtr<ProxyInstance> instance)
+ : RuntimeObject(exec, globalObject, structure, instance)
{
ASSERT(inherits(&s_info));
}
