[webkit-changes] [171564] trunk/Source/JavaScriptCore

Thu, 24 Jul 2014 17:59:35 -0700

Title: [171564] trunk/Source/_javascript_Core
Revision
171564
Author
[email protected]
Date
2014-07-24 17:59:10 -0700 (Thu, 24 Jul 2014)

Log Message

JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
<https://webkit.org/b/135258>

Reviewed by Mark Hahnenberg.

Where needed, we cache the prototype object pointer in a stack local var.
This allows it to be scanned by the GC, and hence be kept alive until
we use it.  The constructor object will in turn be kept alive by the
prototype object.

Also added some comments to warn against future code additions that could
regress this issue.

* API/JSWrapperMap.mm:
(-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
(-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
(-[JSObjCClassInfo wrapperForObject:]):
(-[JSObjCClassInfo constructor]):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/API/JSWrapperMap.mm (171563 => 171564)


--- trunk/Source/_javascript_Core/API/JSWrapperMap.mm	2014-07-25 00:57:39 UTC (rev 171563)
+++ trunk/Source/_javascript_Core/API/JSWrapperMap.mm	2014-07-25 00:59:10 UTC (rev 171564)
@@ -464,6 +464,11 @@
             m_prototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0));
         }
     } else {
+        // We need to hold a reference to the superclass prototype here on the stack
+        // to that it won't get GC'ed while we do allocations between now and when we
+        // set it in this class' prototype below.
+        JSC::JSObject* superClassPrototype = superClassInfo->m_prototype.get();
+
         const char* className = class_getName(m_class);
 
         // Create or grab the prototype/constructor pair.
@@ -493,13 +498,15 @@
         });
 
         // Set [Prototype].
-        JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassInfo->m_prototype.get()));
+        JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassPrototype));
     }
 }
 
 - (void)reallocateConstructorAndOrPrototype
 {
     [self allocateConstructorAndPrototypeWithSuperClassInfo:[m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)]];
+    // We should not add any code here that can trigger a GC or the prototype and
+    // constructor that we just created may be collected before they can be used.
 }
 
 - (JSValue *)wrapperForObject:(id)object
@@ -519,9 +526,12 @@
     if (!m_prototype)
         [self reallocateConstructorAndOrPrototype];
     ASSERT(!!m_prototype);
+    // We need to hold a reference to the prototype here on the stack to that it won't
+    // get GC'ed while we create the wrapper below.
+    JSC::JSObject* prototype = m_prototype.get();
 
     JSObjectRef wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object);
-    JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(m_prototype.get()));
+    JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(prototype));
     return [JSValue valueWithJSValueRef:wrapper inContext:m_context];
 }
 
@@ -530,6 +540,9 @@
     if (!m_constructor)
         [self reallocateConstructorAndOrPrototype];
     ASSERT(!!m_constructor);
+    // If we need to add any code here in the future that can trigger a GC, we should
+    // cache the constructor pointer in a stack local var first so that it is protected
+    // from the GC until it gets used below.
     return [JSValue valueWithJSValueRef:toRef(m_constructor.get()) inContext:m_context];
 }

Modified: trunk/Source/_javascript_Core/ChangeLog (171563 => 171564)


--- trunk/Source/_javascript_Core/ChangeLog	2014-07-25 00:57:39 UTC (rev 171563)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-07-25 00:59:10 UTC (rev 171564)
@@ -1,3 +1,24 @@
+2014-07-24  Mark Lam  <[email protected]>
+
+        JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
+        <https://webkit.org/b/135258>
+
+        Reviewed by Mark Hahnenberg.
+
+        Where needed, we cache the prototype object pointer in a stack local var.
+        This allows it to be scanned by the GC, and hence be kept alive until
+        we use it.  The constructor object will in turn be kept alive by the
+        prototype object.
+
+        Also added some comments to warn against future code additions that could
+        regress this issue.
+
+        * API/JSWrapperMap.mm:
+        (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
+        (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
+        (-[JSObjCClassInfo wrapperForObject:]):
+        (-[JSObjCClassInfo constructor]):
+
 2014-07-24  Joseph Pecoraro  <[email protected]>
 
         JSLock release should only modify the AtomicStringTable if it modified in acquire

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to