[webkit-changes] [252877] trunk/Source/JavaScriptCore

Tue, 26 Nov 2019 00:27:41 -0800

Title: [252877] trunk/Source/_javascript_Core
Revision
252877
Author
[email protected]
Date
2019-11-26 00:24:57 -0800 (Tue, 26 Nov 2019)

Log Message

[GLIB] The API lock should be held before calling JSC::createTypeError
https://bugs.webkit.org/show_bug.cgi?id=204573

Reviewed by Mark Lam.

We are missing it in several places. This is causing a crash in test /jsc/object after r252298.

* API/glib/JSCContext.cpp:
(jscContextGArrayToJSArray):
(jscContextJSArrayToGArray):
(jscContextGValueToJSValue):
(jscContextJSValueToGValue):
* API/glib/JSCValue.cpp:
(jsc_value_new_array):
(jscValueCallFunction):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/API/glib/JSCContext.cpp (252876 => 252877)


--- trunk/Source/_javascript_Core/API/glib/JSCContext.cpp	2019-11-26 07:52:31 UTC (rev 252876)
+++ trunk/Source/_javascript_Core/API/glib/JSCContext.cpp	2019-11-26 08:24:57 UTC (rev 252877)
@@ -271,6 +271,9 @@
 JSValueRef jscContextGArrayToJSArray(JSCContext* context, GPtrArray* gArray, JSValueRef* exception)
 {
     JSCContextPrivate* priv = context->priv;
+    JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get());
+    JSC::JSLockHolder locker(globalObject);
+
     auto* jsArray = JSObjectMakeArray(priv->jsContext.get(), 0, nullptr, exception);
     if (*exception)
         return JSValueMakeUndefined(priv->jsContext.get());
@@ -289,7 +292,7 @@
         else if (JSC_IS_VALUE(item))
             JSObjectSetPropertyAtIndex(priv->jsContext.get(), jsArrayObject, i, jscValueGetJSValue(JSC_VALUE(item)), exception);
         else
-            *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid item type in GPtrArray")));
+            *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid item type in GPtrArray")));
 
         if (*exception)
             return JSValueMakeUndefined(priv->jsContext.get());
@@ -301,11 +304,14 @@
 static GRefPtr<GPtrArray> jscContextJSArrayToGArray(JSCContext* context, JSValueRef jsArray, JSValueRef* exception)
 {
     JSCContextPrivate* priv = context->priv;
+    JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get());
+    JSC::JSLockHolder locker(globalObject);
+
     if (JSValueIsNull(priv->jsContext.get(), jsArray))
         return nullptr;
 
     if (!JSValueIsArray(priv->jsContext.get(), jsArray)) {
-        *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GPtrArray")));
+        *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid js type for GPtrArray")));
         return nullptr;
     }
 
@@ -337,11 +343,14 @@
 GUniquePtr<char*> jscContextJSArrayToGStrv(JSCContext* context, JSValueRef jsArray, JSValueRef* exception)
 {
     JSCContextPrivate* priv = context->priv;
+    JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get());
+    JSC::JSLockHolder locker(globalObject);
+
     if (JSValueIsNull(priv->jsContext.get(), jsArray))
         return nullptr;
 
     if (!JSValueIsArray(priv->jsContext.get(), jsArray)) {
-        *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GStrv")));
+        *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid js type for GStrv")));
         return nullptr;
     }
 
@@ -366,7 +375,7 @@
 
         auto jsValueItem = jscContextGetOrCreateValue(context, jsItem);
         if (!jsc_value_is_string(jsValueItem.get())) {
-            *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("invalid js type for GStrv: item ", String::number(i), " is not a string")));
+            *exception = toRef(JSC::createTypeError(globalObject, makeString("invalid js type for GStrv: item ", String::number(i), " is not a string")));
             return nullptr;
         }
 
@@ -379,6 +388,8 @@
 JSValueRef jscContextGValueToJSValue(JSCContext* context, const GValue* value, JSValueRef* exception)
 {
     JSCContextPrivate* priv = context->priv;
+    JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get());
+    JSC::JSLockHolder locker(globalObject);
 
     switch (g_type_fundamental(G_VALUE_TYPE(value))) {
     case G_TYPE_BOOLEAN:
@@ -446,7 +457,7 @@
         break;
     }
 
-    *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value)))));
+    *exception = toRef(JSC::createTypeError(globalObject, makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value)))));
     return JSValueMakeUndefined(priv->jsContext.get());
 }
 
@@ -453,8 +464,10 @@
 void jscContextJSValueToGValue(JSCContext* context, JSValueRef jsValue, GType type, GValue* value, JSValueRef* exception)
 {
     JSCContextPrivate* priv = context->priv;
+    JSC::JSGlobalObject* globalObject = toJS(priv->jsContext.get());
+    JSC::JSLockHolder locker(globalObject);
+
     g_value_init(value, type);
-
     auto fundamentalType = g_type_fundamental(G_VALUE_TYPE(value));
     switch (fundamentalType) {
     case G_TYPE_INT:
@@ -528,7 +541,7 @@
                     return;
                 }
 
-                *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), "invalid pointer type"_s));
+                *exception = toRef(JSC::createTypeError(globalObject, "invalid pointer type"_s));
                 return;
             }
         }
@@ -539,7 +552,7 @@
         else if (G_IS_OBJECT(wrappedObject))
             g_value_set_object(value, wrappedObject);
         else
-            *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), "wrapped object is not a GObject"_s));
+            *exception = toRef(JSC::createTypeError(globalObject, "wrapped object is not a GObject"_s));
         break;
     }
     case G_TYPE_LONG:
@@ -564,7 +577,7 @@
     case G_TYPE_INTERFACE:
     case G_TYPE_VARIANT:
     default:
-        *exception = toRef(JSC::createTypeError(toJS(priv->jsContext.get()), makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value)))));
+        *exception = toRef(JSC::createTypeError(globalObject, makeString("unsupported type ", g_type_name(G_VALUE_TYPE(value)))));
         break;
     }
 }

Modified: trunk/Source/_javascript_Core/API/glib/JSCValue.cpp (252876 => 252877)


--- trunk/Source/_javascript_Core/API/glib/JSCValue.cpp	2019-11-26 07:52:31 UTC (rev 252876)
+++ trunk/Source/_javascript_Core/API/glib/JSCValue.cpp	2019-11-26 08:24:57 UTC (rev 252877)
@@ -472,8 +472,11 @@
 {
     g_return_val_if_fail(JSC_IS_CONTEXT(context), nullptr);
 
+    auto* jsContext = jscContextGetJSContext(context);
+    JSC::JSGlobalObject* globalObject = toJS(jsContext);
+    JSC::JSLockHolder locker(globalObject);
+
     JSValueRef exception = nullptr;
-    auto* jsContext = jscContextGetJSContext(context);
     auto* jsArray = JSObjectMakeArray(jsContext, 0, nullptr, &exception);
     if (jscContextHandleExceptionIfNeeded(context, exception))
         return nullptr;
@@ -491,7 +494,7 @@
         GUniqueOutPtr<char> error;
         G_VALUE_COLLECT_INIT(&item, itemType, args, G_VALUE_NOCOPY_CONTENTS, &error.outPtr());
         if (error) {
-            exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("failed to collect array item: ", error.get())));
+            exception = toRef(JSC::createTypeError(globalObject, makeString("failed to collect array item: ", error.get())));
             jscContextHandleExceptionIfNeeded(context, exception);
             jsArray = nullptr;
             break;
@@ -878,6 +881,8 @@
 {
     JSCValuePrivate* priv = value->priv;
     auto* jsContext = jscContextGetJSContext(priv->context.get());
+    JSC::JSGlobalObject* globalObject = toJS(jsContext);
+    JSC::JSLockHolder locker(globalObject);
 
     JSValueRef exception = nullptr;
     Vector<JSValueRef> arguments;
@@ -887,7 +892,7 @@
         GUniqueOutPtr<char> error;
         G_VALUE_COLLECT_INIT(&parameter, parameterType, args, G_VALUE_NOCOPY_CONTENTS, &error.outPtr());
         if (error) {
-            exception = toRef(JSC::createTypeError(toJS(jsContext), makeString("failed to collect function paramater: ", error.get())));
+            exception = toRef(JSC::createTypeError(globalObject, makeString("failed to collect function paramater: ", error.get())));
             jscContextHandleExceptionIfNeeded(priv->context.get(), exception);
             return adoptGRef(jsc_value_new_undefined(priv->context.get()));
         }

Modified: trunk/Source/_javascript_Core/ChangeLog (252876 => 252877)


--- trunk/Source/_javascript_Core/ChangeLog	2019-11-26 07:52:31 UTC (rev 252876)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-11-26 08:24:57 UTC (rev 252877)
@@ -1,3 +1,21 @@
+2019-11-26  Carlos Garcia Campos  <[email protected]>
+
+        [GLIB] The API lock should be held before calling JSC::createTypeError
+        https://bugs.webkit.org/show_bug.cgi?id=204573
+
+        Reviewed by Mark Lam.
+
+        We are missing it in several places. This is causing a crash in test /jsc/object after r252298.
+
+        * API/glib/JSCContext.cpp:
+        (jscContextGArrayToJSArray):
+        (jscContextJSArrayToGArray):
+        (jscContextGValueToJSValue):
+        (jscContextJSValueToGValue):
+        * API/glib/JSCValue.cpp:
+        (jsc_value_new_array):
+        (jscValueCallFunction):
+
 2019-11-25  Yusuke Suzuki  <[email protected]>
 
         [JSC] InternalFunction should be non-destructible

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to