WebKit should be lazy-finalization-safe (esp. the DOM) v2
authorggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 May 2012 22:40:46 +0000 (22:40 +0000)
committerggaren@apple.com <ggaren@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 26 May 2012 22:40:46 +0000 (22:40 +0000)
commit7db72a0db74b7c25f9c1eda43d9184938a9371a6
tree0f1ebe79e19dd2574c2ff15bfef0b772652aa44e
parentd52ecea5b53d09bfd8605c9f54bcab206a6b59e3
WebKit should be lazy-finalization-safe (esp. the DOM) v2
https://bugs.webkit.org/show_bug.cgi?id=87581

Reviewed by Oliver Hunt.

../JavaScriptCore:

* heap/MarkedBlock.cpp:
(JSC::MarkedBlock::callDestructor):
* heap/WeakBlock.h:
* heap/WeakSetInlines.h:
(JSC::WeakBlock::finalize): Since we don't guarantee destruction order,
it's not valid to access GC pointers like the Structure pointer during
finalization. We NULL out the structure pointer in debug builds to try
to make this programming mistake more obvious.

* API/JSCallbackConstructor.cpp:
(JSC::JSCallbackConstructor::destroy):
* API/JSCallbackObject.cpp:
(JSC::::destroy):
(JSC::JSCallbackObjectData::finalize):
* runtime/Arguments.cpp:
(JSC::Arguments::destroy):
* runtime/DateInstance.cpp:
(JSC::DateInstance::destroy):
* runtime/Error.cpp:
(JSC::StrictModeTypeErrorFunction::destroy):
* runtime/Executable.cpp:
(JSC::ExecutableBase::destroy):
(JSC::NativeExecutable::destroy):
(JSC::ScriptExecutable::destroy):
(JSC::EvalExecutable::destroy):
(JSC::ProgramExecutable::destroy):
(JSC::FunctionExecutable::destroy):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::destroy):
* runtime/JSPropertyNameIterator.cpp:
(JSC::JSPropertyNameIterator::destroy):
* runtime/JSStaticScopeObject.cpp:
(JSC::JSStaticScopeObject::destroy):
* runtime/JSString.cpp:
(JSC::JSString::destroy):
* runtime/JSVariableObject.cpp:
(JSC::JSVariableObject::destroy):
* runtime/NameInstance.cpp:
(JSC::NameInstance::destroy):
* runtime/RegExp.cpp:
(JSC::RegExp::destroy):
* runtime/RegExpConstructor.cpp:
(JSC::RegExpConstructor::destroy):
* runtime/Structure.cpp:
(JSC::Structure::destroy):
* runtime/StructureChain.cpp:
(JSC::StructureChain::destroy): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

../WebCore:

* bindings/js/JSDOMGlobalObject.cpp:
(WebCore::JSDOMGlobalObject::destroy):
* bindings/js/JSDOMWindowBase.cpp:
(WebCore::JSDOMWindowBase::destroy):
* bindings/js/JSDOMWindowShell.cpp:
(WebCore::JSDOMWindowShell::destroy):
* bindings/js/JSNodeCustom.cpp:
(WebCore::JSNodeOwner::finalize):
* bindings/js/JSWorkerContextBase.cpp:
(WebCore::JSWorkerContextBase::destroy):
* bindings/scripts/CodeGeneratorJS.pm:
(GenerateImplementation):
* bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
(WebCore::JSTestActiveDOMObject::destroy):
(WebCore::JSTestActiveDOMObjectOwner::finalize):
* bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp:
(WebCore::JSTestCustomNamedGetter::destroy):
(WebCore::JSTestCustomNamedGetterOwner::finalize):
* bindings/scripts/test/JS/JSTestEventConstructor.cpp:
(WebCore::JSTestEventConstructor::destroy):
(WebCore::JSTestEventConstructorOwner::finalize):
* bindings/scripts/test/JS/JSTestEventTarget.cpp:
(WebCore::JSTestEventTarget::destroy):
(WebCore::JSTestEventTargetOwner::finalize):
* bindings/scripts/test/JS/JSTestException.cpp:
(WebCore::JSTestException::destroy):
(WebCore::JSTestExceptionOwner::finalize):
* bindings/scripts/test/JS/JSTestInterface.cpp:
(WebCore::JSTestInterface::destroy):
(WebCore::JSTestInterfaceOwner::finalize):
* bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp:
(WebCore::JSTestMediaQueryListListener::destroy):
(WebCore::JSTestMediaQueryListListenerOwner::finalize):
* bindings/scripts/test/JS/JSTestNamedConstructor.cpp:
(WebCore::JSTestNamedConstructor::destroy):
(WebCore::JSTestNamedConstructorOwner::finalize):
* bindings/scripts/test/JS/JSTestObj.cpp:
(WebCore::JSTestObj::destroy):
(WebCore::JSTestObjOwner::finalize):
* bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp:
(WebCore::JSTestSerializedScriptValueInterface::destroy):
(WebCore::JSTestSerializedScriptValueInterfaceOwner::finalize):
* bridge/objc/objc_runtime.mm:
(JSC::Bindings::ObjcFallbackObjectImp::destroy):
* bridge/qt/qt_runtime.cpp:
(JSC::Bindings::QtRuntimeMethod::destroy):
* bridge/qt/qt_runtime_qt4.cpp:
(JSC::Bindings::QtRuntimeMethod::destroy):
* bridge/runtime_array.cpp:
(JSC::RuntimeArray::destroy):
* bridge/runtime_method.cpp:
(JSC::RuntimeMethod::destroy):
* bridge/runtime_object.cpp:
(JSC::Bindings::RuntimeObject::destroy):
* bridge/runtime_root.cpp:
(JSC::Bindings::RootObject::finalize): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

../WebKit2:

* WebProcess/Plugins/Netscape/JSNPObject.cpp:
(WebKit::JSNPObject::destroy):
(WebKit::JSNPObject::leakNPObject):
* WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp:
(WebKit::NPRuntimeObjectMap::finalize): Use static_cast instead of jsCast because
jsCast does Structure-based validation, and our Structure is not guaranteed
to be alive when we get finalized.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@118616 268f45cc-cd09-0410-ab3c-d52691b4dbfc
47 files changed:
Source/JavaScriptCore/API/JSCallbackConstructor.cpp
Source/JavaScriptCore/API/JSCallbackObject.cpp
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/heap/MarkedBlock.cpp
Source/JavaScriptCore/heap/WeakBlock.h
Source/JavaScriptCore/heap/WeakSetInlines.h
Source/JavaScriptCore/runtime/Arguments.cpp
Source/JavaScriptCore/runtime/DateInstance.cpp
Source/JavaScriptCore/runtime/Error.cpp
Source/JavaScriptCore/runtime/Executable.cpp
Source/JavaScriptCore/runtime/JSGlobalObject.cpp
Source/JavaScriptCore/runtime/JSPropertyNameIterator.cpp
Source/JavaScriptCore/runtime/JSStaticScopeObject.cpp
Source/JavaScriptCore/runtime/JSString.cpp
Source/JavaScriptCore/runtime/JSVariableObject.cpp
Source/JavaScriptCore/runtime/NameInstance.cpp
Source/JavaScriptCore/runtime/RegExp.cpp
Source/JavaScriptCore/runtime/RegExpConstructor.cpp
Source/JavaScriptCore/runtime/Structure.cpp
Source/JavaScriptCore/runtime/StructureChain.cpp
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSDOMGlobalObject.cpp
Source/WebCore/bindings/js/JSDOMWindowBase.cpp
Source/WebCore/bindings/js/JSDOMWindowShell.cpp
Source/WebCore/bindings/js/JSNodeCustom.cpp
Source/WebCore/bindings/js/JSWorkerContextBase.cpp
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm
Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestCustomNamedGetter.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestEventConstructor.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestEventTarget.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestException.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestInterface.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestMediaQueryListListener.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestNamedConstructor.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestObj.cpp
Source/WebCore/bindings/scripts/test/JS/JSTestSerializedScriptValueInterface.cpp
Source/WebCore/bridge/objc/objc_runtime.mm
Source/WebCore/bridge/qt/qt_runtime.cpp
Source/WebCore/bridge/qt/qt_runtime_qt4.cpp
Source/WebCore/bridge/runtime_array.cpp
Source/WebCore/bridge/runtime_method.cpp
Source/WebCore/bridge/runtime_object.cpp
Source/WebCore/bridge/runtime_root.cpp
Source/WebKit2/ChangeLog
Source/WebKit2/WebProcess/Plugins/Netscape/JSNPObject.cpp
Source/WebKit2/WebProcess/Plugins/Netscape/NPRuntimeObjectMap.cpp