https://bugs.webkit.org/show_bug.cgi?id=66001
Reviewed by Gavin Barraclough.
../../../../Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore:
* heap/HandleHeap.cpp:
(JSC::HandleHeap::visitStrongHandles):
(JSC::HandleHeap::visitWeakHandles):
(JSC::HandleHeap::finalizeWeakHandles):
(JSC::HandleHeap::writeBarrier):
(JSC::HandleHeap::isLiveNode):
(JSC::HandleHeap::isValidWeakNode):
Increase handle heap validation logic, and make some of
the crashes trigger in release builds as well as debug.
* heap/HandleHeap.h:
(JSC::HandleHeap::allocate):
(JSC::HandleHeap::makeWeak):
Ditto
* runtime/JSGlobalData.cpp:
(WTF::Recompiler::operator()):
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::visitChildren):
Fix GC bugs found while testing this patch
../../../../Volumes/Data/git/WebKit/OpenSource/Source/WebCore:
Fix GC bugs found while testing increased validation logic
* bindings/js/JSDOMWindowShell.cpp:
(WebCore::JSDOMWindowShell::JSDOMWindowShell):
* bindings/js/JSDOMWindowShell.h:
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::createWindowShell):
* bridge/objc/ObjCRuntimeObject.h:
(JSC::Bindings::ObjCRuntimeObject::create):
* bridge/objc/ObjCRuntimeObject.mm:
(JSC::Bindings::ObjCRuntimeObject::ObjCRuntimeObject):
* bridge/objc/objc_instance.mm:
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@92788
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
2011-08-10 Oliver Hunt <oliver@apple.com>
+ Make GC checks more aggressive in release builds
+ https://bugs.webkit.org/show_bug.cgi?id=66001
+
+ Reviewed by Gavin Barraclough.
+
+ * heap/HandleHeap.cpp:
+ (JSC::HandleHeap::visitStrongHandles):
+ (JSC::HandleHeap::visitWeakHandles):
+ (JSC::HandleHeap::finalizeWeakHandles):
+ (JSC::HandleHeap::writeBarrier):
+ (JSC::HandleHeap::isLiveNode):
+ (JSC::HandleHeap::isValidWeakNode):
+ Increase handle heap validation logic, and make some of
+ the crashes trigger in release builds as well as debug.
+ * heap/HandleHeap.h:
+ (JSC::HandleHeap::allocate):
+ (JSC::HandleHeap::makeWeak):
+ Ditto
+ * runtime/JSGlobalData.cpp:
+ (WTF::Recompiler::operator()):
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::visitChildren):
+ Fix GC bugs found while testing this patch
+
+2011-08-10 Oliver Hunt <oliver@apple.com>
+
JSEvaluteScript does not return the correct object when given JSONP data
https://bugs.webkit.org/show_bug.cgi?id=66003
void HandleHeap::visitStrongHandles(HeapRootVisitor& heapRootVisitor)
{
Node* end = m_strongList.end();
- for (Node* node = m_strongList.begin(); node != end; node = node->next())
+ for (Node* node = m_strongList.begin(); node != end; node = node->next()) {
+#if ENABLE(GC_VALIDATION)
+ if (!isLiveNode(node))
+ CRASH();
+#endif
heapRootVisitor.visit(node->slot());
+ }
}
void HandleHeap::visitWeakHandles(HeapRootVisitor& heapRootVisitor)
Node* end = m_weakList.end();
for (Node* node = m_weakList.begin(); node != end; node = node->next()) {
- ASSERT(isValidWeakNode(node));
+#if ENABLE(GC_VALIDATION)
+ if (!isValidWeakNode(node))
+ CRASH();
+#endif
JSCell* cell = node->slot()->asCell();
if (Heap::isMarked(cell))
continue;
Node* end = m_weakList.end();
for (Node* node = m_weakList.begin(); node != end; node = m_nextToFinalize) {
m_nextToFinalize = node->next();
+#if ENABLE(GC_VALIDATION)
+ if (!isValidWeakNode(node))
+ CRASH();
+#endif
- ASSERT(isValidWeakNode(node));
JSCell* cell = node->slot()->asCell();
if (Heap::isMarked(cell))
continue;
if (m_nextToFinalize != node->next()) // Owner deallocated node.
continue;
}
-
+#if ENABLE(GC_VALIDATION)
+ if (!isLiveNode(node))
+ CRASH();
+#endif
*node->slot() = JSValue();
SentinelLinkedList<Node>::remove(node);
m_immediateList.push(node);
void HandleHeap::writeBarrier(HandleSlot slot, const JSValue& value)
{
- ASSERT(!m_nextToFinalize); // Forbid assignment to handles during the finalization phase, since it would violate many GC invariants.
+ // Forbid assignment to handles during the finalization phase, since it would violate many GC invariants.
+ // File a bug with stack trace if you hit this.
+ if (m_nextToFinalize)
+ CRASH();
if (!value == !*slot && slot->isCell() == value.isCell())
return;
Node* node = toNode(slot);
+#if ENABLE(GC_VALIDATION)
+ if (!isLiveNode(node))
+ CRASH();
+#endif
SentinelLinkedList<Node>::remove(node);
if (!value || !value.isCell()) {
m_immediateList.push(node);
if (node->isWeak()) {
m_weakList.push(node);
+#if ENABLE(GC_VALIDATION)
+ if (!isLiveNode(node))
+ CRASH();
+#endif
return;
}
m_strongList.push(node);
+#if ENABLE(GC_VALIDATION)
+ if (!isLiveNode(node))
+ CRASH();
+#endif
}
unsigned HandleHeap::protectedGlobalObjectCount()
return count;
}
-#if !ASSERT_DISABLED
+#if ENABLE(GC_VALIDATION) || !ASSERT_DISABLED
+bool HandleHeap::isLiveNode(Node* node)
+{
+ if (node->prev()->next() != node)
+ return false;
+ if (node->next()->prev() != node)
+ return false;
+
+ return true;
+}
+
bool HandleHeap::isValidWeakNode(Node* node)
{
+ if (!isLiveNode(node))
+ return false;
if (!node->isWeak())
return false;
void grow();
-#if !ASSERT_DISABLED
+#if ENABLE(GC_VALIDATION) || !ASSERT_DISABLED
bool isValidWeakNode(Node*);
+ bool isLiveNode(Node*);
#endif
JSGlobalData* m_globalData;
inline HandleSlot HandleHeap::allocate()
{
+ // Forbid assignment to handles during the finalization phase, since it would violate many GC invariants.
+ // File a bug with stack trace if you hit this.
+ if (m_nextToFinalize)
+ CRASH();
if (m_freeList.isEmpty())
grow();
inline void HandleHeap::makeWeak(HandleSlot handle, WeakHandleOwner* weakOwner, void* context)
{
+ // Forbid assignment to handles during the finalization phase, since it would violate many GC invariants.
+ // File a bug with stack trace if you hit this.
+ if (m_nextToFinalize)
+ CRASH();
Node* node = toNode(handle);
node->makeWeak(weakOwner, context);
if (!cell->inherits(&JSFunction::s_info))
return;
JSFunction* function = asFunction(cell);
- if (function->executable()->isHostFunction())
+ if (!function->executable() || function->executable()->isHostFunction())
return;
function->jsExecutable()->discardCode();
}
visitIfNeeded(visitor, &m_nullPrototypeObjectStructure);
visitIfNeeded(visitor, &m_errorStructure);
visitIfNeeded(visitor, &m_functionStructure);
+ visitIfNeeded(visitor, &m_namedFunctionStructure);
visitIfNeeded(visitor, &m_numberObjectStructure);
visitIfNeeded(visitor, &m_regExpMatchesArrayStructure);
visitIfNeeded(visitor, &m_regExpStructure);
+2011-08-10 Oliver Hunt <oliver@apple.com>
+
+ Make GC checks more aggressive in release builds
+ https://bugs.webkit.org/show_bug.cgi?id=66001
+
+ Reviewed by Gavin Barraclough.
+
+ Fix GC bugs found while testing increased validation logic
+
+ * bindings/js/JSDOMWindowShell.cpp:
+ (WebCore::JSDOMWindowShell::JSDOMWindowShell):
+ * bindings/js/JSDOMWindowShell.h:
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::createWindowShell):
+ * bridge/objc/ObjCRuntimeObject.h:
+ (JSC::Bindings::ObjCRuntimeObject::create):
+ * bridge/objc/ObjCRuntimeObject.mm:
+ (JSC::Bindings::ObjCRuntimeObject::ObjCRuntimeObject):
+ * bridge/objc/objc_instance.mm:
+
2011-08-10 Ben Wells <benwells@chromium.org>
[skia] Move calls to makeGrContextCurrent into clipPathAntiAliased from callers
const ClassInfo JSDOMWindowShell::s_info = { "JSDOMWindowShell", &Base::s_info, 0, 0 };
-JSDOMWindowShell::JSDOMWindowShell(PassRefPtr<DOMWindow> window, DOMWrapperWorld* world)
- : Base(*world->globalData(), JSDOMWindowShell::createStructure(*world->globalData(), jsNull()))
+JSDOMWindowShell::JSDOMWindowShell(PassRefPtr<DOMWindow> window, Structure* structure, DOMWrapperWorld* world)
+ : Base(*world->globalData(), structure)
, m_world(world)
{
ASSERT(inherits(&s_info));
class JSDOMWindowShell : public JSC::JSNonFinalObject {
typedef JSC::JSNonFinalObject Base;
public:
- JSDOMWindowShell(PassRefPtr<DOMWindow>, DOMWrapperWorld* world);
+ JSDOMWindowShell(PassRefPtr<DOMWindow>, JSC::Structure*, DOMWrapperWorld*);
virtual ~JSDOMWindowShell();
JSDOMWindow* window() const { return m_window.get(); }
JSDOMWindowShell* ScriptController::createWindowShell(DOMWrapperWorld* world)
{
ASSERT(!m_windowShells.contains(world));
- Strong<JSDOMWindowShell> windowShell(*world->globalData(), new JSDOMWindowShell(m_frame->domWindow(), world));
+ Structure* structure = JSDOMWindowShell::createStructure(*world->globalData(), jsNull());
+ Strong<JSDOMWindowShell> windowShell(*world->globalData(), new JSDOMWindowShell(m_frame->domWindow(), structure, world));
Strong<JSDOMWindowShell> windowShell2(windowShell);
m_windowShells.add(world, windowShell);
world->didCreateWindowShell(this);
static ObjCRuntimeObject* create(ExecState* exec, JSGlobalObject* globalObject, PassRefPtr<ObjcInstance> inst)
{
- return new (allocateCell<ObjCRuntimeObject>(*exec->heap())) ObjCRuntimeObject(exec, globalObject, inst);
+ Structure* structure = WebCore::deprecatedGetDOMStructure<ObjCRuntimeObject>(exec);
+ return new (allocateCell<ObjCRuntimeObject>(*exec->heap())) ObjCRuntimeObject(exec, globalObject, inst, structure);
}
virtual ~ObjCRuntimeObject();
}
private:
- ObjCRuntimeObject(ExecState*, JSGlobalObject*, PassRefPtr<ObjcInstance>);
+ ObjCRuntimeObject(ExecState*, JSGlobalObject*, PassRefPtr<ObjcInstance>, Structure*);
};
}
const ClassInfo ObjCRuntimeObject::s_info = { "ObjCRuntimeObject", &RuntimeObject::s_info, 0, 0 };
-ObjCRuntimeObject::ObjCRuntimeObject(ExecState* exec, JSGlobalObject* globalObject, PassRefPtr<ObjcInstance> instance)
+ObjCRuntimeObject::ObjCRuntimeObject(ExecState* exec, JSGlobalObject* globalObject, PassRefPtr<ObjcInstance> instance, Structure* structure)
// FIXME: deprecatedGetDOMStructure uses the prototype off of the wrong global object
// We need to pass in the right global object for "i".
- : RuntimeObject(exec, globalObject, WebCore::deprecatedGetDOMStructure<ObjCRuntimeObject>(exec), instance)
+ : RuntimeObject(exec, globalObject, structure, instance)
{
ASSERT(inherits(&s_info));
}
#import "objc_instance.h"
#import "runtime_method.h"
+#import <runtime/ObjectPrototype.h>
#import "JSDOMBinding.h"
#import "ObjCRuntimeObject.h"
#import "WebScriptObject.h"