Title: [148073] trunk/Source/_javascript_Core
- Revision
- 148073
- Author
- [email protected]
- Date
- 2013-04-09 18:23:53 -0700 (Tue, 09 Apr 2013)
Log Message
Add liveness tests to JSC API entry points
https://bugs.webkit.org/show_bug.cgi?id=114318
Reviewed by Geoffrey Garen.
Add simple checks for the existence of a method table on any
JSCells passed across the API. This in turn forces a structure
validity test.
* API/APICast.h:
(toJS):
(toJSForGC):
(unsafeToJS):
* API/JSObjectRef.cpp:
(JSObjectGetPrivate):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/API/APICast.h (148072 => 148073)
--- trunk/Source/_javascript_Core/API/APICast.h 2013-04-10 01:11:50 UTC (rev 148072)
+++ trunk/Source/_javascript_Core/API/APICast.h 2013-04-10 01:23:53 UTC (rev 148073)
@@ -67,15 +67,19 @@
JSC::JSCell* jsCell = reinterpret_cast<JSC::JSCell*>(const_cast<OpaqueJSValue*>(v));
if (!jsCell)
return JSC::jsNull();
+ JSC::JSValue result;
if (jsCell->isAPIValueWrapper())
- return JSC::jsCast<JSC::JSAPIValueWrapper*>(jsCell)->value();
- return jsCell;
+ result = JSC::jsCast<JSC::JSAPIValueWrapper*>(jsCell)->value();
+ else
+ result = jsCell;
#else
JSC::JSValue result = JSC::JSValue::decode(reinterpret_cast<JSC::EncodedJSValue>(const_cast<OpaqueJSValue*>(v)));
+#endif
if (!result)
return JSC::jsNull();
+ if (result.isCell())
+ RELEASE_ASSERT(result.asCell()->methodTable());
return result;
-#endif
}
inline JSC::JSValue toJSForGC(JSC::ExecState* exec, JSValueRef v)
@@ -85,17 +89,29 @@
JSC::JSCell* jsCell = reinterpret_cast<JSC::JSCell*>(const_cast<OpaqueJSValue*>(v));
if (!jsCell)
return JSC::JSValue();
- return jsCell;
+ JSC::JSValue result = jsCell;
#else
- return JSC::JSValue::decode(reinterpret_cast<JSC::EncodedJSValue>(const_cast<OpaqueJSValue*>(v)));
+ JSC::JSValue result = JSC::JSValue::decode(reinterpret_cast<JSC::EncodedJSValue>(const_cast<OpaqueJSValue*>(v)));
#endif
+ if (result && result.isCell())
+ RELEASE_ASSERT(result.asCell()->methodTable());
+ return result;
}
-inline JSC::JSObject* toJS(JSObjectRef o)
+// Used in JSObjectGetPrivate as that may be called during finalization
+inline JSC::JSObject* uncheckedToJS(JSObjectRef o)
{
return reinterpret_cast<JSC::JSObject*>(o);
}
+inline JSC::JSObject* toJS(JSObjectRef o)
+{
+ JSC::JSObject* object = uncheckedToJS(o);
+ if (object)
+ RELEASE_ASSERT(object->methodTable());
+ return object;
+}
+
inline JSC::PropertyNameArray* toJS(JSPropertyNameAccumulatorRef a)
{
return reinterpret_cast<JSC::PropertyNameArray*>(a);
Modified: trunk/Source/_javascript_Core/API/JSObjectRef.cpp (148072 => 148073)
--- trunk/Source/_javascript_Core/API/JSObjectRef.cpp 2013-04-10 01:11:50 UTC (rev 148072)
+++ trunk/Source/_javascript_Core/API/JSObjectRef.cpp 2013-04-10 01:23:53 UTC (rev 148073)
@@ -340,7 +340,7 @@
void* JSObjectGetPrivate(JSObjectRef object)
{
- JSObject* jsObject = toJS(object);
+ JSObject* jsObject = uncheckedToJS(object);
if (jsObject->inherits(&JSCallbackObject<JSGlobalObject>::s_info))
return jsCast<JSCallbackObject<JSGlobalObject>*>(jsObject)->getPrivate();
Modified: trunk/Source/_javascript_Core/ChangeLog (148072 => 148073)
--- trunk/Source/_javascript_Core/ChangeLog 2013-04-10 01:11:50 UTC (rev 148072)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-04-10 01:23:53 UTC (rev 148073)
@@ -1,5 +1,23 @@
2013-04-09 Oliver Hunt <[email protected]>
+ Add liveness tests to JSC API entry points
+ https://bugs.webkit.org/show_bug.cgi?id=114318
+
+ Reviewed by Geoffrey Garen.
+
+ Add simple checks for the existence of a method table on any
+ JSCells passed across the API. This in turn forces a structure
+ validity test.
+
+ * API/APICast.h:
+ (toJS):
+ (toJSForGC):
+ (unsafeToJS):
+ * API/JSObjectRef.cpp:
+ (JSObjectGetPrivate):
+
+2013-04-09 Oliver Hunt <[email protected]>
+
Rollout last patch as it destroyed everything
* API/APICast.h:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
