[webkit-changes] [164089] trunk/Source/JavaScriptCore

Thu, 13 Feb 2014 18:37:58 -0800

Title: [164089] trunk/Source/_javascript_Core
Revision
164089
Author
[email protected]
Date
2014-02-13 18:42:10 -0800 (Thu, 13 Feb 2014)

Log Message

The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
<https://webkit.org/b/128764>

Reviewed by Mark Hahnenberg.

toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
Also we need to acquire the JSLock to prevent concurrent accesses to the
Strong handle list.

* API/JSValue.mm:
(JSContainerConvertor::add):
(containerValueToObject):
(ObjcContainerConvertor::add):
(objectToValue):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/API/JSValue.mm (164088 => 164089)


--- trunk/Source/_javascript_Core/API/JSValue.mm	2014-02-14 02:36:44 UTC (rev 164088)
+++ trunk/Source/_javascript_Core/API/JSValue.mm	2014-02-14 02:42:10 UTC (rev 164089)
@@ -615,7 +615,7 @@
 void JSContainerConvertor::add(Task task)
 {
     JSC::ExecState* exec = toJS(m_context);
-    m_jsValues.append(JSC::Strong<JSC::Unknown>(exec->vm(), toJS(exec, task.js)));
+    m_jsValues.append(JSC::Strong<JSC::Unknown>(exec->vm(), toJSForGC(exec, task.js)));
     m_objectMap.add(task.js, task.objc);
     if (task.type != ContainerNone)
         m_worklist.append(task);
@@ -672,6 +672,7 @@
 static id containerValueToObject(JSGlobalContextRef context, JSContainerConvertor::Task task)
 {
     ASSERT(task.type != ContainerNone);
+    JSC::APIEntryShim entryShim(toJS(context));
     JSContainerConvertor convertor(context);
     convertor.add(task);
     ASSERT(!convertor.isWorkListEmpty());
@@ -841,7 +842,7 @@
 void ObjcContainerConvertor::add(ObjcContainerConvertor::Task task)
 {
     JSC::ExecState* exec = toJS(m_context.JSGlobalContextRef);
-    m_jsValues.append(JSC::Strong<JSC::Unknown>(exec->vm(), toJS(exec, task.js)));
+    m_jsValues.append(JSC::Strong<JSC::Unknown>(exec->vm(), toJSForGC(exec, task.js)));
     m_objectMap.add(task.objc, task.js);
     if (task.type != ContainerNone)
         m_worklist.append(task);
@@ -921,6 +922,7 @@
     if (task.type == ContainerNone)
         return task.js;
 
+    JSC::APIEntryShim entryShim(toJS(contextRef));
     ObjcContainerConvertor convertor(context);
     convertor.add(task);
     ASSERT(!convertor.isWorkListEmpty());

Modified: trunk/Source/_javascript_Core/ChangeLog (164088 => 164089)


--- trunk/Source/_javascript_Core/ChangeLog	2014-02-14 02:36:44 UTC (rev 164088)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-02-14 02:42:10 UTC (rev 164089)
@@ -1,3 +1,20 @@
+2014-02-13  Mark Lam  <[email protected]>
+
+        The JSContainerConvertor and ObjcContainerConvertor need to protect JSValueRefs. Part 2.
+        <https://webkit.org/b/128764>
+
+        Reviewed by Mark Hahnenberg.
+
+        toJS() is the wrong cast function to use. We need to use toJSForGC() instead.
+        Also we need to acquire the JSLock to prevent concurrent accesses to the
+        Strong handle list.
+
+        * API/JSValue.mm:
+        (JSContainerConvertor::add):
+        (containerValueToObject):
+        (ObjcContainerConvertor::add):
+        (objectToValue):
+
 2014-02-13  Mark Hahnenberg  <[email protected]>
 
         JSManagedValue::dealloc modifies NSMapTable while iterating it

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to