- Revision
- 114457
- Author
- [email protected]
- Date
- 2012-04-17 16:01:14 -0700 (Tue, 17 Apr 2012)
Log Message
It should be possible to create an inheritorID for the global this object without crashing
https://bugs.webkit.org/show_bug.cgi?id=84200
<rdar://problem/11251082>
Reviewed by Oliver Hunt.
Source/_javascript_Core:
* runtime/JSGlobalThis.cpp:
(JSC::JSGlobalThis::setUnwrappedObject):
* runtime/JSGlobalThis.h:
(JSC::JSGlobalThis::unwrappedObject):
(JSGlobalThis):
* runtime/JSObject.cpp:
(JSC::JSObject::createInheritorID):
* runtime/JSObject.h:
(JSObject):
(JSC::JSObject::resetInheritorID):
Source/WebCore:
No new tests, because the circumstances necessary to make this happen are rather hairy.
* bindings/js/JSDOMWindowShell.h:
(WebCore::JSDOMWindowShell::window):
(WebCore::JSDOMWindowShell::setWindow):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (114456 => 114457)
--- trunk/Source/_javascript_Core/ChangeLog 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-04-17 23:01:14 UTC (rev 114457)
@@ -1,5 +1,24 @@
2012-04-17 Filip Pizlo <[email protected]>
+ It should be possible to create an inheritorID for the global this object without crashing
+ https://bugs.webkit.org/show_bug.cgi?id=84200
+ <rdar://problem/11251082>
+
+ Reviewed by Oliver Hunt.
+
+ * runtime/JSGlobalThis.cpp:
+ (JSC::JSGlobalThis::setUnwrappedObject):
+ * runtime/JSGlobalThis.h:
+ (JSC::JSGlobalThis::unwrappedObject):
+ (JSGlobalThis):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::createInheritorID):
+ * runtime/JSObject.h:
+ (JSObject):
+ (JSC::JSObject::resetInheritorID):
+
+2012-04-17 Filip Pizlo <[email protected]>
+
DFG and LLInt should not clobber the frame pointer on ARMv7
https://bugs.webkit.org/show_bug.cgi?id=84185
<rdar://problem/10767252>
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalThis.cpp (114456 => 114457)
--- trunk/Source/_javascript_Core/runtime/JSGlobalThis.cpp 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalThis.cpp 2012-04-17 23:01:14 UTC (rev 114457)
@@ -48,9 +48,12 @@
visitor.append(&thisObject->m_unwrappedObject);
}
-JSGlobalObject* JSGlobalThis::unwrappedObject()
+void JSGlobalThis::setUnwrappedObject(JSGlobalData& globalData, JSGlobalObject* globalObject)
{
- return m_unwrappedObject.get();
+ ASSERT_ARG(globalObject, globalObject);
+ m_unwrappedObject.set(globalData, this, globalObject);
+ setPrototype(globalData, globalObject->prototype());
+ resetInheritorID();
}
} // namespace JSC
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalThis.h (114456 => 114457)
--- trunk/Source/_javascript_Core/runtime/JSGlobalThis.h 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalThis.h 2012-04-17 23:01:14 UTC (rev 114457)
@@ -48,7 +48,7 @@
static JS_EXPORTDATA const JSC::ClassInfo s_info;
- JSGlobalObject* unwrappedObject();
+ JSGlobalObject* unwrappedObject() const { return m_unwrappedObject.get(); }
protected:
JSGlobalThis(JSGlobalData& globalData, Structure* structure)
@@ -65,6 +65,9 @@
JS_EXPORT_PRIVATE static void visitChildren(JSCell*, SlotVisitor&);
+ JS_EXPORT_PRIVATE void setUnwrappedObject(JSGlobalData&, JSGlobalObject*);
+
+private:
WriteBarrier<JSGlobalObject> m_unwrappedObject;
};
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (114456 => 114457)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2012-04-17 23:01:14 UTC (rev 114457)
@@ -541,7 +541,13 @@
Structure* JSObject::createInheritorID(JSGlobalData& globalData)
{
- m_inheritorID.set(globalData, this, createEmptyObjectStructure(globalData, structure()->globalObject(), this));
+ JSGlobalObject* globalObject;
+ if (isGlobalThis())
+ globalObject = static_cast<JSGlobalThis*>(this)->unwrappedObject();
+ else
+ globalObject = structure()->globalObject();
+ ASSERT(globalObject);
+ m_inheritorID.set(globalData, this, createEmptyObjectStructure(globalData, globalObject, this));
ASSERT(m_inheritorID->isEmpty());
return m_inheritorID.get();
}
Modified: trunk/Source/_javascript_Core/runtime/JSObject.h (114456 => 114457)
--- trunk/Source/_javascript_Core/runtime/JSObject.h 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/_javascript_Core/runtime/JSObject.h 2012-04-17 23:01:14 UTC (rev 114457)
@@ -264,6 +264,11 @@
// To instantiate objects you likely want JSFinalObject, below.
// To create derived types you likely want JSNonFinalObject, below.
JSObject(JSGlobalData&, Structure*, PropertyStorage inlineStorage);
+
+ void resetInheritorID()
+ {
+ m_inheritorID.clear();
+ }
private:
friend class LLIntOffsetsExtractor;
Modified: trunk/Source/WebCore/ChangeLog (114456 => 114457)
--- trunk/Source/WebCore/ChangeLog 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/WebCore/ChangeLog 2012-04-17 23:01:14 UTC (rev 114457)
@@ -1,3 +1,17 @@
+2012-04-17 Filip Pizlo <[email protected]>
+
+ It should be possible to create an inheritorID for the global this object without crashing
+ https://bugs.webkit.org/show_bug.cgi?id=84200
+ <rdar://problem/11251082>
+
+ Reviewed by Oliver Hunt.
+
+ No new tests, because the circumstances necessary to make this happen are rather hairy.
+
+ * bindings/js/JSDOMWindowShell.h:
+ (WebCore::JSDOMWindowShell::window):
+ (WebCore::JSDOMWindowShell::setWindow):
+
2012-04-17 Luke Macpherson <[email protected]>
Make CSSParser::parseValue()'s handling of CSSPropertyCursor more obviously correct.
Modified: trunk/Source/WebCore/bindings/js/JSDOMWindowShell.h (114456 => 114457)
--- trunk/Source/WebCore/bindings/js/JSDOMWindowShell.h 2012-04-17 22:57:53 UTC (rev 114456)
+++ trunk/Source/WebCore/bindings/js/JSDOMWindowShell.h 2012-04-17 23:01:14 UTC (rev 114457)
@@ -43,12 +43,11 @@
JSDOMWindowShell(PassRefPtr<DOMWindow>, JSC::Structure*, DOMWrapperWorld*);
static void destroy(JSCell*);
- JSDOMWindow* window() const { return JSC::jsCast<JSDOMWindow*>(m_unwrappedObject.get()); }
+ JSDOMWindow* window() const { return JSC::jsCast<JSDOMWindow*>(unwrappedObject()); }
void setWindow(JSC::JSGlobalData& globalData, JSDOMWindow* window)
{
ASSERT_ARG(window, window);
- m_unwrappedObject.set(globalData, this, window);
- setPrototype(globalData, window->prototype());
+ setUnwrappedObject(globalData, window);
}
void setWindow(PassRefPtr<DOMWindow>);
