Title: [171571] branches/safari-600.1-branch/Source/_javascript_Core
- Revision
- 171571
- Author
- [email protected]
- Date
- 2014-07-24 18:12:26 -0700 (Thu, 24 Jul 2014)
Log Message
Merged r171564. <rdar://problem/17757800>
Modified Paths
Diff
Modified: branches/safari-600.1-branch/Source/_javascript_Core/API/JSWrapperMap.mm (171570 => 171571)
--- branches/safari-600.1-branch/Source/_javascript_Core/API/JSWrapperMap.mm 2014-07-25 01:11:24 UTC (rev 171570)
+++ branches/safari-600.1-branch/Source/_javascript_Core/API/JSWrapperMap.mm 2014-07-25 01:12:26 UTC (rev 171571)
@@ -464,6 +464,11 @@
m_prototype = toJS(JSValueToObject(cContext, valueInternalValue(prototype), 0));
}
} else {
+ // We need to hold a reference to the superclass prototype here on the stack
+ // to that it won't get GC'ed while we do allocations between now and when we
+ // set it in this class' prototype below.
+ JSC::JSObject* superClassPrototype = superClassInfo->m_prototype.get();
+
const char* className = class_getName(m_class);
// Create or grab the prototype/constructor pair.
@@ -493,13 +498,15 @@
});
// Set [Prototype].
- JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassInfo->m_prototype.get()));
+ JSObjectSetPrototype([m_context JSGlobalContextRef], toRef(m_prototype.get()), toRef(superClassPrototype));
}
}
- (void)reallocateConstructorAndOrPrototype
{
[self allocateConstructorAndPrototypeWithSuperClassInfo:[m_context.wrapperMap classInfoForClass:class_getSuperclass(m_class)]];
+ // We should not add any code here that can trigger a GC or the prototype and
+ // constructor that we just created may be collected before they can be used.
}
- (JSValue *)wrapperForObject:(id)object
@@ -519,9 +526,12 @@
if (!m_prototype)
[self reallocateConstructorAndOrPrototype];
ASSERT(!!m_prototype);
+ // We need to hold a reference to the prototype here on the stack to that it won't
+ // get GC'ed while we create the wrapper below.
+ JSC::JSObject* prototype = m_prototype.get();
JSObjectRef wrapper = makeWrapper([m_context JSGlobalContextRef], m_classRef, object);
- JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(m_prototype.get()));
+ JSObjectSetPrototype([m_context JSGlobalContextRef], wrapper, toRef(prototype));
return [JSValue valueWithJSValueRef:wrapper inContext:m_context];
}
@@ -530,6 +540,9 @@
if (!m_constructor)
[self reallocateConstructorAndOrPrototype];
ASSERT(!!m_constructor);
+ // If we need to add any code here in the future that can trigger a GC, we should
+ // cache the constructor pointer in a stack local var first so that it is protected
+ // from the GC until it gets used below.
return [JSValue valueWithJSValueRef:toRef(m_constructor.get()) inContext:m_context];
}
Modified: branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog (171570 => 171571)
--- branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog 2014-07-25 01:11:24 UTC (rev 171570)
+++ branches/safari-600.1-branch/Source/_javascript_Core/ChangeLog 2014-07-25 01:12:26 UTC (rev 171571)
@@ -1,5 +1,30 @@
2014-07-24 Lucas Forschler <[email protected]>
+ Merge r171564
+
+ 2014-07-24 Mark Lam <[email protected]>
+
+ JSWrapperMap's jsWrapperForObject() needs to keep weak prototype and constructors from being GCed.
+ <https://webkit.org/b/135258>
+
+ Reviewed by Mark Hahnenberg.
+
+ Where needed, we cache the prototype object pointer in a stack local var.
+ This allows it to be scanned by the GC, and hence be kept alive until
+ we use it. The constructor object will in turn be kept alive by the
+ prototype object.
+
+ Also added some comments to warn against future code additions that could
+ regress this issue.
+
+ * API/JSWrapperMap.mm:
+ (-[JSObjCClassInfo allocateConstructorAndPrototypeWithSuperClassInfo:]):
+ (-[JSObjCClassInfo reallocateConstructorAndOrPrototype]):
+ (-[JSObjCClassInfo wrapperForObject:]):
+ (-[JSObjCClassInfo constructor]):
+
+2014-07-24 Lucas Forschler <[email protected]>
+
Merge r171558
2014-07-24 Joseph Pecoraro <[email protected]>
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
