2011-05-18 Oliver Hunt <oliver@apple.com>
authoroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 May 2011 20:41:54 +0000 (20:41 +0000)
committeroliver@apple.com <oliver@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 18 May 2011 20:41:54 +0000 (20:41 +0000)
commitb3b5302b9fe74b8e4733d7539447afaa6ea89cf7
treeb48ab0b95d2b9b437f226796b39dfd091e3bc1df
parent8910812a6fba89ec94b8f5d6a5dc83e8057d4325
2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
        https://bugs.webkit.org/show_bug.cgi?id=61090

        Remove the Structure-free JSGlobalObject constructor and instead always
        pass the structure into the JSGlobalObject constructor.
        Stop DebuggerActivation creating a new structure every time, and simply
        use a single shared structure held by the GlobalData.

        * API/JSContextRef.cpp:
        * debugger/DebuggerActivation.cpp:
        (JSC::DebuggerActivation::DebuggerActivation):
        * jsc.cpp:
        (GlobalObject::GlobalObject):
        (functionRun):
        (jscmain):
        * runtime/JSGlobalData.cpp:
        (JSC::JSGlobalData::JSGlobalData):
        (JSC::JSGlobalData::clearBuiltinStructures):
        * runtime/JSGlobalData.h:
        * runtime/JSGlobalObject.h:
2011-05-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Sam Weinig.

        JSGlobalObject and some others do GC allocation during initialization, which can cause heap corruption
        https://bugs.webkit.org/show_bug.cgi?id=61090

        Rather than having Constructor objects create their structure
        as part of initialisation, we now pass their expected structure
        in as an argument.  This required fixing the few custom Constructors
        and the code generator.

        * bindings/js/JSAudioConstructor.cpp:
        (WebCore::JSAudioConstructor::JSAudioConstructor):
        * bindings/js/JSAudioConstructor.h:
        * bindings/js/JSDOMGlobalObject.h:
        (WebCore::getDOMConstructor):
          Pass the Constructor objects structure in as an argument
        * bindings/js/JSImageConstructor.cpp:
        (WebCore::JSImageConstructor::JSImageConstructor):
        * bindings/js/JSImageConstructor.h:
        * bindings/js/JSOptionConstructor.cpp:
        (WebCore::JSOptionConstructor::JSOptionConstructor):
        * bindings/js/JSOptionConstructor.h:
        * bindings/scripts/CodeGeneratorJS.pm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@86785 268f45cc-cd09-0410-ab3c-d52691b4dbfc
16 files changed:
Source/JavaScriptCore/API/JSContextRef.cpp
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/debugger/DebuggerActivation.cpp
Source/JavaScriptCore/jsc.cpp
Source/JavaScriptCore/runtime/JSGlobalData.cpp
Source/JavaScriptCore/runtime/JSGlobalData.h
Source/JavaScriptCore/runtime/JSGlobalObject.h
Source/WebCore/ChangeLog
Source/WebCore/bindings/js/JSAudioConstructor.cpp
Source/WebCore/bindings/js/JSAudioConstructor.h
Source/WebCore/bindings/js/JSDOMGlobalObject.h
Source/WebCore/bindings/js/JSImageConstructor.cpp
Source/WebCore/bindings/js/JSImageConstructor.h
Source/WebCore/bindings/js/JSOptionConstructor.cpp
Source/WebCore/bindings/js/JSOptionConstructor.h
Source/WebCore/bindings/scripts/CodeGeneratorJS.pm